Scaled authentication of endpoint devices

ABSTRACT

Various embodiments of the present application set forth a computer-implemented method that includes generating, based on a resource file stored at an endpoint device, a credential data packet for authenticating with a first application executing in a first network, where the resource file includes a set of encryption keys associated with a plurality of applications including the first application, and where the credential data packet is encrypted with a device key signed by the endpoint device, and the credential data packet is signed by an endpoint device management (EDM) key extracted from the set of encryptions keys included in the resource file, sending, by the endpoint device, the credential data packet to the first application via a trusted communication channel, and receiving, by the endpoint device and in response to the credential data packet, an authorization packet from the first application via the trusted communication channel.

BACKGROUND Field of the Embodiments

The present invention relates generally to computer networks, and morespecifically, to scaled authentication of endpoint devices.

Description of the Related Art

In modern computing environments, multitudes of endpoint devices connectto a networked computing environment. Each endpoint device may attemptto access computing resources within the networked computing environmentin order to perform certain actions, such as retrieving data from remotedata sources or initiating processes within specific computingenvironments. In order to authenticate and authorize a user attemptingto access the networked computing environment, an endpoint deviceassociated with the user connects to devices included within thenetworked computing environment. The devices within the networkedcomputing environment may, in turn, authenticate both the endpointdevice, as well as the identity of the user that is attempting to accessthe networked computing environment. Upon authenticating the endpointdevice and the user, the networked computing environment may thenauthorize the user to access one or more of the computing resources.

One drawback of conventional techniques for authenticating users thatattempt access to the networked computing environment is thatregistering a given endpoint device associated with a user to enableaccess requires manual intervention. For example, a system administratorsends a time-limited authentication code in order to limit the time thatthe not-yet-authorized endpoint device can access the networkedcomputing environment. However, when registering large numbers ofendpoint devices, inclusion of this manual intervention in theregistration process is cumbersome both for the individual users ofendpoint devices, as well as the system administrator that manages thenetworked computing environment. Consequently, time-limitedauthentication codes are inefficient for large-scale deployments.Further, system administrators do register large quantities of endpointdevices. Such practices prevent system administrators from registeringlarge quantities of endpoint devices, or even from using such networkedoperating environments.

As the foregoing illustrates, what is needed in the art is an efficientway for endpoint devices to register for services within a networkedcomputing environment.

SUMMARY

Various embodiments of the present application set forth acomputer-implemented method that includes generating, based on aresource file stored at an endpoint device, a credential data packet forauthenticating with a first application executing in a first network,where the resource file includes a set of encryption keys associatedwith a plurality of applications including the first application, andwhere the credential data packet is encrypted with a device key signedby the endpoint device, and the credential data packet is signed by anendpoint device management (EDM) key extracted from the set ofencryptions keys included in the resource file, sending, by the endpointdevice, the credential data packet to the first application via atrusted communication channel, and receiving, by the endpoint device andin response to the credential data packet, an authorization packet fromthe first application via the trusted communication channel.

Other embodiments of the present invention include, without limitation,one or more computer-readable media including instructions forperforming one or more aspects of the disclosed techniques, as well as acomputing device for performing one or more aspects of the disclosedtechniques.

At least one technological advantage of the disclosed techniquesrelative to prior techniques is that individual users may, withoutrequiring intervention by an intermediate manager, directly register anendpoint device via secure communications in order to access a remoteapplication. Consequently, by eliminating intermediary systems in deviceauthentication techniques, the disclosed techniques that provideautomated authentication and authorization thus enable devices tosecurely register and authenticate large numbers of devices whenaccessing devices within the networked computing environment. Further,by enabling an endpoint device to sign user credentials using a providedendpoint device management key, an endpoint device manager caneffectively cause endpoint devices to adhere to policies provided by theendpoint device manager.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited features of the inventioncan be understood in detail, a more particular description of theinvention may be had by reference to embodiments, some of which areillustrated in the appended drawings. It is to be noted, however, thatthe appended drawings illustrate only typical embodiments of thisinvention and are therefore not to be considered limiting of its scope,for the invention may admit to other equally effective embodiments.

The present disclosure is illustrated by way of example, and notlimitation, in the figures of the accompanying drawings, in which likereference numerals indicate similar elements and in which:

FIG. 1 is a block diagram of an example networked computer environment,in accordance with example embodiments;

FIG. 2 is a block diagram of an example data intake and query system, inaccordance with example embodiments;

FIG. 3 is a block diagram of an example cloud-based data intake andquery system, in accordance with example embodiments;

FIG. 4 is a block diagram of an example data intake and query systemthat performs searches across external data systems, in accordance withexample embodiments;

FIG. 5A is a flowchart of an example method that illustrates howindexers process, index, and store data received from forwarders, inaccordance with example embodiments;

FIG. 5B is a block diagram of a data structure in which time-stampedevent data can be stored in a data store, in accordance with exampleembodiments;

FIG. 5C provides a visual representation of the manner in which apipelined search language or query operates, in accordance with exampleembodiments;

FIG. 6A is a flow diagram of an example method that illustrates how asearch head and indexers perform a search query, in accordance withexample embodiments;

FIG. 6B provides a visual representation of an example manner in which apipelined command language or query operates, in accordance with exampleembodiments;

FIG. 7A is a diagram of an example scenario where a common customeridentifier is found among log data received from three disparate datasources, in accordance with example embodiments;

FIG. 7B illustrates an example of processing keyword searches and fieldsearches, in accordance with disclosed embodiments;

FIG. 7C illustrates an example of creating and using an inverted index,in accordance with example embodiments;

FIG. 7D depicts a flowchart of example use of an inverted index in apipelined search query, in accordance with example embodiments;

FIG. 8A is an interface diagram of an example user interface for asearch screen, in accordance with example embodiments;

FIG. 8B is an interface diagram of an example user interface for a datasummary dialog that enables a user to select various data sources, inaccordance with example embodiments;

FIGS. 9-15 are interface diagrams of example report generation userinterfaces, in accordance with example embodiments;

FIG. 16 is an example search query received from a client and executedby search peers, in accordance with example embodiments;

FIG. 17A is an interface diagram of an example user interface of a keyindicators view, in accordance with example embodiments;

FIG. 17B is an interface diagram of an example user interface of anincident review dashboard, in accordance with example embodiments;

FIG. 17C is a tree diagram of an example a proactive monitoring tree, inaccordance with example embodiments;

FIG. 17D is an interface diagram of an example a user interfacedisplaying both log data and performance data, in accordance withexample embodiments;

FIG. 18A illustrates a network architecture that enables securecommunications between mobile devices and an on-premises environment forthe data intake and query system, in accordance with exampleembodiments;

FIG. 18B illustrates a more-detailed view of the example system of FIG.4 , in accordance with example embodiments;

FIG. 19 is a block diagram of another example networked computerenvironment of FIG. 1 , in accordance with example embodiments;

FIG. 20A is an example user interface for configuring identifier filesof FIG. 19 , in accordance with example embodiments;

FIG. 20B is an example user interface for facilitating the generation ofa resource file of FIG. 19 ;

FIG. 20C is an example user interface that displays the contents of aresource file of FIG. 19 , in accordance with example embodiments;

FIG. 21 is an example user interface for deploying a resource file ofFIG. 20C, in accordance with example embodiments;

FIG. 22 illustrates a call flow diagram showing interactions betweenvarious components of the example networked computing environment 1900,in accordance with example embodiments;

FIG. 23 is an example user interface for selecting a remote applicationof FIG. 19 for authentication of a managed endpoint device, inaccordance with example embodiments;

FIG. 24 sets for a flow diagram of method steps for authenticating amanaged endpoint device, in accordance with example embodiments.

DETAILED DESCRIPTION

Embodiments are described herein according to the following outline:

1.0 General Overview . . . 7

2.0 Operating Environment . . . 12

2.1 Host Devices . . . 13

2.2 Client Devices . . . 14

2.3 Client Device Applications . . . 14

2.4 Data Server System . . . 17

2.5 Cloud-Based System Overview . . . 18

2.6 Searching Externally-Archived Data . . . 20

-   -   2.6.1 ERP Process Features . . . 24

2.7 Data Ingestion . . . 27

-   -   2.7.1 Input . . . 28    -   2.7.2 Parsing . . . 29    -   2.7.3 Indexing . . . 32

2.8 Query Processing . . . 46

2.9 Pipelined Search Language . . . 48

2.10 Field Extraction . . . 51

2.11 Example Search Screen . . . 58

2.12 DATA MODELS . . . 59

2.13 Acceleration Technique . . . 65

-   -   2.13.1 Aggregation Technique . . . 65    -   2.13.2 Keyword Index . . . 66    -   2.13.3 High Performance Analytics Store . . . 66        -   2.13.3.1 Extracting Event Data Using Posting . . . 72        -   2.13.3.2 Accelerating Report Generation . . . 76

2.14 Security Features . . . 77

2.15 Data Center Monitoring . . . 81

3.0 Device Associated Data Retrieval System . . . 83

4.0 Scaled Authentication of Endpoint Devices . . . 89

4.1 Endpoint Device Authentication System . . . 89

4.2 Managed Endpoint Deployment . . . 97

4.3 Managed Endpoint Device Registration . . . 99

1.0 General Overview

Modern data centers and other computing environments can compriseanywhere from a few host computer systems to thousands of systemsconfigured to process data, service requests from remote clients, andperform numerous other computational tasks. During operation, variouscomponents within these computing environments often generatesignificant volumes of machine data. Machine data is any data producedby a machine or component in an information technology (IT) environmentand that reflects activity in the IT environment. For example, machinedata can be raw machine data that is generated by various components inIT environments, such as servers, sensors, routers, mobile devices,Internet of Things (IoT) devices, etc. Machine data can include systemlogs, network packet data, sensor data, application program data, errorlogs, stack traces, system performance data, etc. In general, machinedata can also include performance data, diagnostic information, and manyother types of data that can be analyzed to diagnose performanceproblems, monitor user interactions, and to derive other insights.

A number of tools are available to analyze machine data. In order toreduce the size of the potentially vast amount of machine data that maybe generated, many of these tools typically pre-process the data basedon anticipated data-analysis needs. For example, pre-specified dataitems may be extracted from the machine data and stored in a database tofacilitate efficient retrieval and analysis of those data items atsearch time. However, the rest of the machine data typically is notsaved and is discarded during pre-processing. As storage capacitybecomes progressively cheaper and more plentiful, there are fewerincentives to discard these portions of machine data and many reasons toretain more of the data.

This plentiful storage capacity is presently making it feasible to storemassive quantities of minimally processed machine data for laterretrieval and analysis. In general, storing minimally processed machinedata and performing analysis operations at search time can providegreater flexibility because it enables an analyst to search all of themachine data, instead of searching only a pre-specified set of dataitems. This may enable an analyst to investigate different aspects ofthe machine data that previously were unavailable for analysis.

However, analyzing and searching massive quantities of machine datapresents a number of challenges. For example, a data center, servers, ornetwork appliances may generate many different types and formats ofmachine data (e.g., system logs, network packet data (e.g., wire data,etc.), sensor data, application program data, error logs, stack traces,system performance data, operating system data, virtualization data,etc.) from thousands of different components, which can collectively bevery time-consuming to analyze. In another example, mobile devices maygenerate large amounts of information relating to data accesses,application performance, operating system performance, networkperformance, etc. There can be millions of mobile devices that reportthese types of information.

These challenges can be addressed by using an event-based data intakeand query system, such as the SPLUNK® ENTERPRISE system developed bySplunk Inc. of San Francisco, Calif. The SPLUNK® ENTERPRISE system isthe leading platform for providing real-time operational intelligencethat enables organizations to collect, index, and search machine datafrom various websites, applications, servers, networks, and mobiledevices that power their businesses. The data intake and query system isparticularly useful for analyzing data which is commonly found in systemlog files, network data, and other data input sources. Although many ofthe techniques described herein are explained with reference to a dataintake and query system similar to the SPLUNK® ENTERPRISE system, thesetechniques are also applicable to other types of data systems.

In the data intake and query system, machine data are collected andstored as “events”. An event comprises a portion of machine data and isassociated with a specific point in time. The portion of machine datamay reflect activity in an IT environment and may be produced by acomponent of that IT environment, where the events may be searched toprovide insight into the IT environment, thereby improving theperformance of components in the IT environment. Events may be derivedfrom “time series data,” where the time series data comprises a sequenceof data points (e.g., performance measurements from a computer system,etc.) that are associated with successive points in time. In general,each event has a portion of machine data that is associated with atimestamp that is derived from the portion of machine data in the event.A timestamp of an event may be determined through interpolation betweentemporally proximate events having known timestamps or may be determinedbased on other configurable rules for associating timestamps withevents.

In some instances, machine data can have a predefined format, where dataitems with specific data formats are stored at predefined locations inthe data. For example, the machine data may include data associated withfields in a database table. In other instances, machine data may nothave a predefined format (e.g., may not be at fixed, predefinedlocations), but may have repeatable (e.g., non-random) patterns. Thismeans that some machine data can comprise various data items ofdifferent data types that may be stored at different locations withinthe data. For example, when the data source is an operating system log,an event can include one or more lines from the operating system logcontaining machine data that includes different types of performance anddiagnostic information associated with a specific point in time (e.g., atimestamp).

Examples of components which may generate machine data from which eventscan be derived include, but are not limited to, web servers, applicationservers, databases, firewalls, routers, operating systems, and softwareapplications that execute on computer systems, mobile devices, sensors,Internet of Things (IoT) devices, etc. The machine data generated bysuch data sources can include, for example and without limitation,server log files, activity log files, configuration files, messages,network packet data, performance measurements, sensor measurements, etc.

The data intake and query system uses a flexible schema to specify howto extract information from events. A flexible schema may be developedand redefined as needed. Note that a flexible schema may be applied toevents “on the fly,” when it is needed (e.g., at search time, indextime, ingestion time, etc.). When the schema is not applied to eventsuntil search time, the schema may be referred to as a “late-bindingschema.”

During operation, the data intake and query system receives machine datafrom any type and number of sources (e.g., one or more system logs,streams of network packet data, sensor data, application program data,error logs, stack traces, system performance data, etc.). The systemparses the machine data to produce events each having a portion ofmachine data associated with a timestamp. The system stores the eventsin a data store. The system enables users to run queries against thestored events to, for example, retrieve events that meet criteriaspecified in a query, such as criteria indicating certain keywords orhaving specific values in defined fields. As used herein, the term“field” refers to a location in the machine data of an event containingone or more values for a specific data item. A field may be referencedby a field name associated with the field. As will be described in moredetail herein, a field is defined by an extraction rule (e.g., a regularexpression) that derives one or more values or a sub-portion of textfrom the portion of machine data in each event to produce a value forthe field for that event. The set of values produced aresemantically-related (such as IP address), even though the machine datain each event may be in different formats (e.g., semantically-relatedvalues may be in different positions in the events derived fromdifferent sources).

As described above, the system stores the events in a data store. Theevents stored in the data store are field-searchable, wherefield-searchable herein refers to the ability to search the machine data(e.g., the raw machine data) of an event based on a field specified insearch criteria. For example, a search having criteria that specifies afield name “UserID” may cause the system to field-search the machinedata of events to identify events that have the field name “UserID.” Inanother example, a search having criteria that specifies a field name“UserID” with a corresponding field value “12345” may cause the systemto field-search the machine data of events to identify events havingthat field-value pair (e.g., field name “UserID” with a correspondingfield value of “12345”). Events are field-searchable using one or moreconfiguration files associated with the events. Each configuration fileincludes one or more field names, where each field name is associatedwith a corresponding extraction rule and a set of events to which thatextraction rule applies. The set of events to which an extraction ruleapplies may be identified by metadata associated with the set of events.For example, an extraction rule may apply to a set of events that areeach associated with a particular host, source, or source type. Whenevents are to be searched based on a particular field name specified ina search, the system uses one or more configuration files to determinewhether there is an extraction rule for that particular field name thatapplies to each event that falls within the criteria of the search. Ifso, the event is considered as part of the search results (andadditional processing may be performed on that event based on criteriaspecified in the search). If not, the next event is similarly analyzed,and so on.

As noted above, the data intake and query system utilizes a late-bindingschema while performing queries on events. One aspect of a late-bindingschema is applying extraction rules to events to extract values forspecific fields during search time. More specifically, the extractionrule for a field can include one or more instructions that specify howto extract a value for the field from an event. An extraction rule cangenerally include any type of instruction for extracting values fromevents. In some cases, an extraction rule comprises a regularexpression, where a sequence of characters form a search pattern. Anextraction rule comprising a regular expression is referred to herein asa regex rule. The system applies a regex rule to an event to extractvalues for a field associated with the regex rule, where the values areextracted by searching the event for the sequence of characters definedin the regex rule.

In the data intake and query system, a field extractor may be configuredto automatically generate extraction rules for certain fields in theevents when the events are being created, indexed, or stored, orpossibly at a later time. Alternatively, a user may manually defineextraction rules for fields using a variety of techniques. In contrastto a conventional schema for a database system, a late-binding schema isnot defined at data ingestion time. Instead, the late-binding schema canbe developed on an ongoing basis until the time a query is actuallyexecuted. This means that extraction rules for the fields specified in aquery may be provided in the query itself, or may be located duringexecution of the query. Hence, as a user learns more about the data inthe events, the user can continue to refine the late-binding schema byadding new fields, deleting fields, or modifying the field extractionrules for use the next time the schema is used by the system. Becausethe data intake and query system maintains the underlying machine dataand uses a late-binding schema for searching the machine data, itenables a user to continue investigating and learn valuable insightsabout the machine data.

In some embodiments, a common field name may be used to reference two ormore fields containing equivalent and/or similar data items, even thoughthe fields may be associated with different types of events thatpossibly have different data formats and different extraction rules. Byenabling a common field name to be used to identify equivalent and/orsimilar fields from different types of events generated by disparatedata sources, the system facilitates use of a “common information model”(CIM) across the disparate data sources (further discussed with respectto FIG. 7A).

2.0 Operating Environment

FIG. 1 is a block diagram of an example networked computer environment100, in accordance with example embodiments. Those skilled in the artwould understand that FIG. 1 represents one example of a networkedcomputer system and other embodiments may use different arrangements.

The networked computer system 100 comprises one or more computingdevices. These one or more computing devices comprise any combination ofhardware and software configured to implement the various logicalcomponents described herein. For example, the one or more computingdevices may include one or more memories that store instructions forimplementing the various components described herein, one or morehardware processors configured to execute the instructions stored in theone or more memories, and various data repositories in the one or morememories for storing data structures utilized and manipulated by thevarious components.

In some embodiments, one or more client devices 102 are coupled to oneor more host devices 106 and a data intake and query system 108 via oneor more networks 104. Networks 104 broadly represent one or more LANs,WANs, cellular networks (e.g., LTE, HSPA, 3G, and other cellulartechnologies), and/or networks using any of wired, wireless, terrestrialmicrowave, or satellite links, and may include the public Internet.

2.1 Host Devices

In the illustrated embodiment, a system 100 includes one or more hostdevices 106. Host devices 106 may broadly include any number ofcomputers, virtual machine instances, and/or data centers that areconfigured to host or execute one or more instances of host applications114. In general, a host device 106 may be involved, directly orindirectly, in processing requests received from client devices 102.Each host device 106 may comprise, for example, one or more of a networkdevice, a web server, an application server, a database server, etc. Acollection of host devices 106 may be configured to implement anetwork-based service. For example, a provider of a network-basedservice may configure one or more host devices 106 and host applications114 (e.g., one or more web servers, application servers, databaseservers, etc.) to collectively implement the network-based application.

In general, client devices 102 communicate with one or more hostapplications 114 to exchange information. The communication between aclient device 102 and a host application 114 may, for example, be basedon the Hypertext Transfer Protocol (HTTP) or any other network protocol.Content delivered from the host application 114 to a client device 102may include, for example, HTML documents, media content, etc. Thecommunication between a client device 102 and host application 114 mayinclude sending various requests and receiving data packets. Forexample, in general, a client device 102 or application running on aclient device may initiate communication with a host application 114 bymaking a request for a specific resource (e.g., based on an HTTPrequest), and the application server may respond with the requestedcontent stored in one or more response packets.

In the illustrated embodiment, one or more of host applications 114 maygenerate various types of performance data during operation, includingevent logs, network data, sensor data, and other types of machine data.For example, a host application 114 comprising a web server may generateone or more web server logs in which details of interactions between theweb server and any number of client devices 102 is recorded. As anotherexample, a host device 106 comprising a router may generate one or morerouter logs that record information related to network traffic managedby the router. As yet another example, a host application 114 comprisinga database server may generate one or more logs that record informationrelated to requests sent from other host applications 114 (e.g., webservers or application servers) for data managed by the database server.

2.2 Client Devices

Client devices 102 of FIG. 1 represent any computing device capable ofinteracting with one or more host devices 106 via a network 104.Examples of client devices 102 may include, without limitation,smartphones, tablet computers, handheld computers, wearable devices,laptop computers, desktop computers, servers, portable media players,gaming devices, and so forth. In general, a client device 102 canprovide access to different content, for instance, content provided byone or more host devices 106, etc. Each client device 102 may compriseone or more client applications 110, described in more detail in aseparate section hereinafter.

2.3 Client Device Applications

In some embodiments, each client device 102 may host or execute one ormore client applications 110 that are capable of interacting with one ormore host devices 106 via one or more networks 104. For instance, aclient application 110 may be or comprise a web browser that a user mayuse to navigate to one or more websites or other resources provided byone or more host devices 106. As another example, a client application110 may comprise a mobile application or “app.” For example, an operatorof a network-based service hosted by one or more host devices 106 maymake available one or more mobile apps that enable users of clientdevices 102 to access various resources of the network-based service. Asyet another example, client applications 110 may include backgroundprocesses that perform various operations without direct interactionfrom a user. A client application 110 may include a “plug-in” or“extension” to another application, such as a web browser plug-in orextension.

In some embodiments, a client application 110 may include a monitoringcomponent 112. At a high level, the monitoring component 112 comprises asoftware component or other logic that facilitates generatingperformance data related to a client device's operating state, includingmonitoring network traffic sent and received from the client device andcollecting other device and/or application-specific information.Monitoring component 112 may be an integrated component of a clientapplication 110, a plug-in, an extension, or any other type of add-oncomponent. Monitoring component 112 may also be a stand-alone process.

In some embodiments, a monitoring component 112 may be created when aclient application 110 is developed, for example, by an applicationdeveloper using a software development kit (SDK). The SDK may includecustom monitoring code that can be incorporated into the codeimplementing a client application 110. When the code is converted to anexecutable application, the custom code implementing the monitoringfunctionality can become part of the application itself.

In some embodiments, an SDK or other code for implementing themonitoring functionality may be offered by a provider of a data intakeand query system, such as a system 108. In such cases, the provider ofthe system 108 can implement the custom code so that performance datagenerated by the monitoring functionality is sent to the system 108 tofacilitate analysis of the performance data by a developer of the clientapplication or other users.

In some embodiments, the custom monitoring code may be incorporated intothe code of a client application 110 in a number of different ways, suchas the insertion of one or more lines in the client application codethat call or otherwise invoke the monitoring component 112. As such, adeveloper of a client application 110 can add one or more lines of codeinto the client application 110 to trigger the monitoring component 112at desired points during execution of the application. Code thattriggers the monitoring component may be referred to as a monitortrigger. For instance, a monitor trigger may be included at or near thebeginning of the executable code of the client application 110 such thatthe monitoring component 112 is initiated or triggered as theapplication is launched, or included at other points in the code thatcorrespond to various actions of the client application, such as sendinga network request or displaying a particular interface.

In some embodiments, the monitoring component 112 may monitor one ormore aspects of network traffic sent and/or received by a clientapplication 110. For example, the monitoring component 112 may beconfigured to monitor data packets transmitted to and/or from one ormore host applications 114. Incoming and/or outgoing data packets can beread or examined to identify network data contained within the packets,for example, and other aspects of data packets can be analyzed todetermine a number of network performance statistics. Monitoring networktraffic may enable information to be gathered particular to the networkperformance associated with a client application 110 or set ofapplications.

In some embodiments, network performance data refers to any type of datathat indicates information about the network and/or network performance.Network performance data may include, for instance, a URL requested, aconnection type (e.g., HTTP, HTTPS, etc.), a connection start time, aconnection end time, an HTTP status code, request length, responselength, request headers, response headers, connection status (e.g.,completion, response time(s), failure, etc.), and the like. Uponobtaining network performance data indicating performance of thenetwork, the network performance data can be transmitted to a dataintake and query system 108 for analysis.

Upon developing a client application 110 that incorporates a monitoringcomponent 112, the client application 110 can be distributed to clientdevices 102. Applications generally can be distributed to client devices102 in any manner, or they can be pre-loaded. In some cases, theapplication may be distributed to a client device 102 via an applicationmarketplace or other application distribution system. For instance, anapplication marketplace or other application distribution system mightdistribute the application to a client device based on a request fromthe client device to download the application.

Examples of functionality that enables monitoring performance of aclient device are described in U.S. patent application Ser. No.14/524,748, entitled “UTILIZING PACKET HEADERS TO MONITOR NETWORKTRAFFIC IN ASSOCIATION WITH A CLIENT DEVICE”, filed on 27 Oct. 2014, andwhich is hereby incorporated by reference in its entirety for allpurposes.

In some embodiments, the monitoring component 112 may also monitor andcollect performance data related to one or more aspects of theoperational state of a client application 110 and/or client device 102.For example, a monitoring component 112 may be configured to collectdevice performance information by monitoring one or more client deviceoperations, or by making calls to an operating system and/or one or moreother applications executing on a client device 102 for performanceinformation. Device performance information may include, for instance, acurrent wireless signal strength of the device, a current connectiontype and network carrier, current memory performance information, ageographic location of the device, a device orientation, and any otherinformation related to the operational state of the client device.

In some embodiments, the monitoring component 112 may also monitor andcollect other device profile information including, for example, a typeof client device, a manufacturer and model of the device, versions ofvarious software applications installed on the device, and so forth.

In general, a monitoring component 112 may be configured to generateperformance data in response to a monitor trigger in the code of aclient application 110 or other triggering application event, asdescribed above, and to store the performance data in one or more datarecords. Each data record, for example, may include a collection offield-value pairs, each field-value pair storing a particular item ofperformance data in association with a field for the item. For example,a data record generated by a monitoring component 112 may include a“networkLatency” field (not shown in FIG. 1 ) in which a value isstored. This field indicates a network latency measurement associatedwith one or more network requests. The data record may include a “state”field to store a value indicating a state of a network connection, andso forth for any number of aspects of collected performance data.

2.4 Data Server System

FIG. 2 is a block diagram of an example data intake and query system108, in accordance with example embodiments. System 108 includes one ormore forwarders 204 that receive data from a variety of input datasources 202, and one or more indexers 206 that process and store thedata in one or more data stores 208. These forwarders 204 and indexers208 can comprise separate computer systems, or may alternativelycomprise separate processes executing on one or more computer systems.

Each data source 202 broadly represents a distinct source of data thatcan be consumed by system 108. Examples of data sources 202 include,without limitation, data files, directories of files, data sent over anetwork, event logs, registries, etc.

During operation, the forwarders 204 identify which indexers 206 receivedata collected from a data source 202 and forward the data to theappropriate indexers. Forwarders 204 can also perform operations on thedata before forwarding, including removing extraneous data, detectingtimestamps in the data, parsing data, indexing data, routing data basedon criteria relating to the data being routed, and/or performing otherdata transformations.

In some embodiments, a forwarder 204 may comprise a service accessibleto client devices 102 and host devices 106 via a network 104. Forexample, one type of forwarder 204 may be capable of consuming vastamounts of real-time data from a potentially large number of clientdevices 102 and/or host devices 106. The forwarder 204 may, for example,comprise a computing device which implements multiple data pipelines or“queues” to handle forwarding of network data to indexers 206. Aforwarder 204 may also perform many of the functions that are performedby an indexer. For example, a forwarder 204 may perform keywordextractions on raw data or parse raw data to create events. A forwarder204 may generate time stamps for events. Additionally or alternatively,a forwarder 204 may perform routing of events to indexers 206. Datastore 208 may contain events derived from machine data from a variety ofsources all pertaining to the same component in an IT environment, andthis data may be produced by the machine in question or by othercomponents in the IT environment.

2.5 Cloud-Based System Overview

The example data intake and query system 108 described in reference toFIG. 2 comprises several system components, including one or moreforwarders, indexers, and search heads. In some environments, a user ofa data intake and query system 108 may install and configure, oncomputing devices owned and operated by the user, one or more softwareapplications that implement some or all of these system components. Forexample, a user may install a software application on server computersowned by the user and configure each server to operate as one or more ofa forwarder, an indexer, a search head, etc. This arrangement generallymay be referred to as an “on-premises” solution. That is, the system 108is installed and operates on computing devices directly controlled bythe user of the system. Some users may prefer an on-premises solutionbecause it may provide a greater level of control over the configurationof certain aspects of the system (e.g., security, privacy, standards,controls, etc.). However, other users may instead prefer an arrangementin which the user is not directly responsible for providing and managingthe computing devices upon which various components of system 108operate.

In one embodiment, to provide an alternative to an entirely on-premisesenvironment for system 108, one or more of the components of a dataintake and query system instead may be provided as a cloud-basedservice. In this context, a cloud-based service refers to a servicehosted by one more computing resources that are accessible to end usersover a network, for example, by using a web browser or other applicationon a client device to interface with the remote computing resources. Forexample, a service provider may provide a cloud-based data intake andquery system by managing computing resources configured to implementvarious aspects of the system (e.g., forwarders, indexers, search heads,etc.) and by providing access to the system to end users via a network.Typically, a user may pay a subscription or other fee to use such aservice. Each subscribing user of the cloud-based service may beprovided with an account that enables the user to configure a customizedcloud-based system based on the user's preferences.

FIG. 3 illustrates a block diagram of an example cloud-based data intakeand query system. Similar to the system of FIG. 2 , the networkedcomputer system 300 includes input data sources 202 and forwarders 204.These input data sources and forwarders may be in a subscriber's privatecomputing environment. Alternatively, they might be directly managed bythe service provider as part of the cloud service. In the example system300, one or more forwarders 204 and client devices 302 are coupled to acloud-based data intake and query system 306 via one or more networks304. Network 304 broadly represents one or more LANs, WANs, cellularnetworks, intranetworks, internetworks, etc., using any of wired,wireless, terrestrial microwave, satellite links, etc., and may includethe public Internet, and is used by client devices 302 and forwarders204 to access the system 306. Similar to the system of 38, each of theforwarders 204 may be configured to receive data from an input sourceand to forward the data to other components of the system 306 forfurther processing.

In some embodiments, a cloud-based data intake and query system 306 maycomprise a plurality of system instances 308. In general, each systeminstance 308 may include one or more computing resources managed by aprovider of the cloud-based system 306 made available to a particularsubscriber. The computing resources comprising a system instance 308may, for example, include one or more servers or other devicesconfigured to implement one or more forwarders, indexers, search heads,and other components of a data intake and query system, similar tosystem 108. As indicated above, a subscriber may use a web browser orother application of a client device 302 to access a web portal or otherinterface that enables the subscriber to configure an instance 308.

Providing a data intake and query system as described in reference tosystem 108 as a cloud-based service presents a number of challenges.Each of the components of a system 108 (e.g., forwarders, indexers, andsearch heads) may at times refer to various configuration files storedlocally at each component. These configuration files typically mayinvolve some level of user configuration to accommodate particular typesof data a user desires to analyze and to account for other userpreferences. However, in a cloud-based service context, users typicallymay not have direct access to the underlying computing resourcesimplementing the various system components (e.g., the computingresources comprising each system instance 308) and may desire to makesuch configurations indirectly, for example, using one or more web-basedinterfaces. Thus, the techniques and systems described herein forproviding user interfaces that enable a user to configure source typedefinitions are applicable to both on-premises and cloud-based servicecontexts, or some combination thereof (e.g., a hybrid system where bothan on-premises environment, such as SPLUNK® ENTERPRISE, and acloud-based environment, such as SPLUNK CLOUD™, are centrally visible).

2.6 Searching Externally-Archived Data

FIG. 4 shows a block diagram of an example of a data intake and querysystem 108 that provides transparent search facilities for data systemsthat are external to the data intake and query system. Such facilitiesare available in the Splunk® Analytics for Hadoop® system provided bySplunk Inc. of San Francisco, Calif. Splunk® Analytics for Hadoop®represents an analytics platform that enables business and IT teams torapidly explore, analyze, and visualize data in Hadoop® and NoSQL datastores.

The search head 210 of the data intake and query system receives searchrequests from one or more client devices 404 over network connections420. As discussed above, the data intake and query system 108 may residein an enterprise location, in the cloud, etc. FIG. 4 illustrates thatmultiple client devices 404 a, 404 b, . . . , 404 n may communicate withthe data intake and query system 108. The client devices 404 maycommunicate with the data intake and query system using a variety ofconnections. For example, one client device in FIG. 4 is illustrated ascommunicating over an Internet (Web) protocol, another client device isillustrated as communicating via a command line interface, and anotherclient device is illustrated as communicating via a software developerkit (SDK).

The search head 210 analyzes the received search request to identifyrequest parameters. If a search request received from one of the clientdevices 404 references an index maintained by the data intake and querysystem, then the search head 210 connects to one or more indexers 206 ofthe data intake and query system for the index referenced in the requestparameters. That is, if the request parameters of the search requestreference an index, then the search head accesses the data in the indexvia the indexer. The data intake and query system 108 may include one ormore indexers 206, depending on system access resources andrequirements. As described further below, the indexers 206 retrieve datafrom their respective local data stores 208 as specified in the searchrequest. The indexers and their respective data stores can comprise oneor more storage devices and typically reside on the same system, thoughthey may be connected via a local network connection.

If the request parameters of the received search request reference anexternal data collection, which is not accessible to the indexers 206 orunder the management of the data intake and query system, then thesearch head 210 can access the external data collection through anExternal Result Provider (ERP) process 410. An external data collectionmay be referred to as a “virtual index” (plural, “virtual indices”). AnERP process provides an interface through which the search head 210 mayaccess virtual indices.

Thus, a search reference to an index of the system relates to a locallystored and managed data collection. In contrast, a search reference to avirtual index relates to an externally stored and managed datacollection, which the search head may access through one or more ERPprocesses 410, 412. FIG. 4 shows two ERP processes 410, 412 that connectto respective remote (external) virtual indices, which are indicated asa Hadoop or another system 414 (e.g., Amazon S3, Amazon EMR, otherHadoop® Compatible File Systems (HCFS), etc.) and a relational databasemanagement system (RDBMS) 416. Other virtual indices may include otherfile organizations and protocols, such as Structured Query Language(SQL) and the like. The ellipses between the ERP processes 410, 412indicate optional additional ERP processes of the data intake and querysystem 108. An ERP process may be a computer process that is initiatedor spawned by the search head 210 and is executed by the search dataintake and query system 108. Alternatively or additionally, an ERPprocess may be a process spawned by the search head 210 on the same ordifferent host system as the search head 210 resides.

The search head 210 may spawn a single ERP process in response tomultiple virtual indices referenced in a search request, or the searchhead may spawn different ERP processes for different virtual indices.Generally, virtual indices that share common data configurations orprotocols may share ERP processes. For example, all search queryreferences to a Hadoop file system may be processed by the same ERPprocess, if the ERP process is suitably configured. Likewise, all searchquery references to a SQL database may be processed by the same ERPprocess. In addition, the search head may provide a common ERP processfor common external data source types (e.g., a common vendor may utilizea common ERP process, even if the vendor includes different data storagesystem types, such as Hadoop and SQL). Common indexing schemes also maybe handled by common ERP processes, such as flat text files or Weblogfiles.

The search head 210 determines the number of ERP processes to beinitiated via the use of configuration parameters that are included in asearch request message. Generally, there is a one-to-many relationshipbetween an external results provider “family” and ERP processes. Thereis also a one-to-many relationship between an ERP process andcorresponding virtual indices that are referred to in a search request.For example, using RDBMS, assume two independent instances of such asystem by one vendor, such as one RDBMS for production and another RDBMSused for development. In such a situation, it is likely preferable (butoptional) to use two ERP processes to maintain the independent operationas between production and development data. Both of the ERPs, however,will belong to the same family, because the two RDBMS system types arefrom the same vendor.

The ERP processes 410, 412 receive a search request from the search head210. The search head may optimize the received search request forexecution at the respective external virtual index. Alternatively, theERP process may receive a search request as a result of analysisperformed by the search head or by a different system process. The ERPprocesses 410, 412 can communicate with the search head 210 viaconventional input/output routines (e.g., standard in/standard out,etc.). In this way, the ERP process receives the search request from aclient device such that the search request may be efficiently executedat the corresponding external virtual index.

The ERP processes 410, 412 may be implemented as a process of the dataintake and query system. Each ERP process may be provided by the dataintake and query system, or may be provided by process or applicationproviders who are independent of the data intake and query system. Eachrespective ERP process may include an interface application installed ata computer of the external result provider that ensures propercommunication between the search support system and the external resultprovider. The ERP processes 410, 412 generate appropriate searchrequests in the protocol and syntax of the respective virtual indices414, 416, each of which corresponds to the search request received bythe search head 210. Upon receiving search results from theircorresponding virtual indices, the respective ERP process passes theresult to the search head 210, which may return or display the resultsor a processed set of results based on the returned results to therespective client device.

Client devices 404 may communicate with the data intake and query system108 through a network interface 420, e.g., one or more LANs, WANs,cellular networks, intranetworks, and/or internetworks using any ofwired, wireless, terrestrial microwave, satellite links, etc., and mayinclude the public Internet.

The analytics platform utilizing the External Result Provider processdescribed in more detail in U.S. Pat. No. 8,738,629, entitled “ExternalResult Provided Process For Retrieving Data Stored Using A DifferentConfiguration Or Protocol”, issued on 27 May 2014, U.S. Pat. No.8,738,587, entitled “PROCESSING A SYSTEM SEARCH REQUEST BY RETRIEVINGRESULTS FROM BOTH A NATIVE INDEX AND A VIRTUAL INDEX”, issued on 25 Jul.2013, U.S. patent application Ser. No. 14/266,832, entitled “PROCESSINGA SYSTEM SEARCH REQUEST ACROSS DISPARATE DATA COLLECTION SYSTEMS”, filedon 1 May 2014, and U.S. Pat. No. 9,514,189, entitled “PROCESSING ASYSTEM SEARCH REQUEST INCLUDING EXTERNAL DATA SOURCES”, issued on 6 Dec.2016, each of which is hereby incorporated by reference in its entiretyfor all purposes.

2.6.1 ERP Process Features

The ERP processes described above may include two operation modes: astreaming mode and a reporting mode. The ERP processes can operate instreaming mode only, in reporting mode only, or in both modessimultaneously. Operating in both modes simultaneously is referred to asmixed mode operation. In a mixed mode operation, the ERP at some pointcan stop providing the search head with streaming results and onlyprovide reporting results thereafter, or the search head at some pointmay start ignoring streaming results it has been using and only usereporting results thereafter.

The streaming mode returns search results in real time, with minimalprocessing, in response to the search request. The reporting modeprovides results of a search request with processing of the searchresults prior to providing them to the requesting search head, which inturn provides results to the requesting client device. ERP operationwith such multiple modes provides greater performance flexibility withregard to report time, search latency, and resource utilization.

In a mixed mode operation, both streaming mode and reporting mode areoperating simultaneously. The streaming mode results (e.g., the machinedata obtained from the external data source) are provided to the searchhead, which can then process the results data (e.g., break the machinedata into events, timestamp it, filter it, etc.) and integrate theresults data with the results data from other external data sources,and/or from data stores of the search head. The search head performssuch processing and can immediately start returning interim (streamingmode) results to the user at the requesting client device;simultaneously, the search head is waiting for the ERP process toprocess the data it is retrieving from the external data source as aresult of the concurrently executing reporting mode.

In some instances, the ERP process initially operates in a mixed mode,such that the streaming mode operates to enable the ERP quickly toreturn interim results (e.g., some of the machined data or unprocesseddata necessary to respond to a search request) to the search head,enabling the search head to process the interim results and beginproviding to the client or search requester interim results that areresponsive to the query. Meanwhile, in this mixed mode, the ERP alsooperates concurrently in reporting mode, processing portions of machinedata in a manner responsive to the search query. Upon determining thatit has results from the reporting mode available to return to the searchhead, the ERP may halt processing in the mixed mode at that time (orsome later time) by stopping the return of data in streaming mode to thesearch head and switching to reporting mode only. The ERP at this pointstarts sending interim results in reporting mode to the search head,which in turn may then present this processed data responsive to thesearch request to the client or search requester. Typically the searchhead switches from using results from the ERP's streaming mode ofoperation to results from the ERP's reporting mode of operation when thehigher bandwidth results from the reporting mode outstrip the amount ofdata processed by the search head in the streaming mode of ERPoperation.

A reporting mode may have a higher bandwidth because the ERP does nothave to spend time transferring data to the search head for processingall the machine data. In addition, the ERP may optionally direct anotherprocessor to do the processing.

The streaming mode of operation does not need to be stopped to gain thehigher bandwidth benefits of a reporting mode; the search head couldsimply stop using the streaming mode results—and start using thereporting mode results—when the bandwidth of the reporting mode hascaught up with or exceeded the amount of bandwidth provided by thestreaming mode. Thus, a variety of triggers and ways to accomplish asearch head's switch from using streaming mode results to usingreporting mode results may be appreciated by one skilled in the art.

The reporting mode can involve the ERP process (or an external system)performing event breaking, time stamping, filtering of events to matchthe search query request, and calculating statistics on the results. Theuser can request particular types of data, such as if the search queryitself involves types of events, or the search request may ask forstatistics on data, such as on events that meet the search request. Ineither case, the search head understands the query language used in thereceived query request, which may be a proprietary language. Oneexemplary query language is Splunk Processing Language (SPL) developedby the assignee of the application, Splunk Inc. The search headtypically understands how to use that language to obtain data from theindexers, which store data in a format used by the SPLUNK® Enterprisesystem.

The ERP processes support the search head, as the search head is notordinarily configured to understand the format in which data is storedin external data sources such as Hadoop or SQL data systems. Rather, theERP process performs that translation from the query submitted in thesearch support system's native format (e.g., SPL if SPLUNK® ENTERPRISEis used as the search support system) to a search query request formatthat will be accepted by the corresponding external data system. Theexternal data system typically stores data in a different format fromthat of the search support system's native index format, and it utilizesa different query language (e.g., SQL or MapReduce, rather than SPL orthe like).

As noted, the ERP process can operate in the streaming mode alone. Afterthe ERP process has performed the translation of the query request andreceived raw results from the streaming mode, the search head canintegrate the returned data with any data obtained from local datasources (e.g., native to the search support system), other external datasources, and other ERP processes (if such operations were required tosatisfy the terms of the search query). An advantage of mixed modeoperation is that, in addition to streaming mode, the ERP process isalso executing concurrently in reporting mode. Thus, the ERP process(rather than the search head) is processing query results (e.g.,performing event breaking, timestamping, filtering, possibly calculatingstatistics if required to be responsive to the search query request,etc.). It should be apparent to those skilled in the art that additionaltime is needed for the ERP process to perform the processing in such aconfiguration. Therefore, the streaming mode will allow the search headto start returning interim results to the user at the client devicebefore the ERP process can complete sufficient processing to startreturning any search results. The switchover between streaming andreporting mode happens when the ERP process determines that theswitchover is appropriate, such as when the ERP process determines itcan begin returning meaningful results from its reporting mode.

The operation described above illustrates the source of operationallatency: streaming mode has low latency (immediate results) and usuallyhas relatively low bandwidth (fewer results can be returned per unit oftime). In contrast, the concurrently running reporting mode hasrelatively high latency (it has to perform a lot more processing beforereturning any results) and usually has relatively high bandwidth (moreresults can be processed per unit of time). For example, when the ERPprocess does begin returning report results, it returns more processedresults than in the streaming mode, because, e.g., statistics only needto be calculated to be responsive to the search request. That is, theERP process doesn't have to take time to first return machine data tothe search head. As noted, the ERP process could be configured tooperate in streaming mode alone and return just the machine data for thesearch head to process in a way that is responsive to the searchrequest. Alternatively, the ERP process can be configured to operate inthe reporting mode only. Also, the ERP process can be configured tooperate in streaming mode and reporting mode concurrently, as described,with the ERP process stopping the transmission of streaming results tothe search head when the concurrently running reporting mode has caughtup and started providing results. The reporting mode does not requirethe processing of all machine data that is responsive to the searchquery request before the ERP process starts returning results; rather,the reporting mode usually performs processing of chunks of events andreturns the processing results to the search head for each chunk.

For example, an ERP process can be configured to merely return thecontents of a search result file verbatim, with little or no processingof results. That way, the search head performs all processing (such asparsing byte streams into events, filtering, etc.). The ERP process canbe configured to perform additional intelligence, such as analyzing thesearch request and handling all the computation that a native searchindexer process would otherwise perform. In this way, the configured ERPprocess provides greater flexibility in features while operatingaccording to desired preferences, such as response latency and resourcerequirements.

2.7 Data Ingestion

FIG. 5A is a flow chart of an example method that illustrates howindexers process, index, and store data received from forwarders, inaccordance with example embodiments. The data flow illustrated in FIG.5A is provided for illustrative purposes only; those skilled in the artwould understand that one or more of the steps of the processesillustrated in FIG. 5A may be removed or that the ordering of the stepsmay be changed. Furthermore, for the purposes of illustrating a clearexample, one or more particular system components are described in thecontext of performing various operations during each of the data flowstages. For example, a forwarder is described as receiving andprocessing machine data during an input phase; an indexer is describedas parsing and indexing machine data during parsing and indexing phases;and a search head is described as performing a search query during asearch phase. However, other system arrangements and distributions ofthe processing steps across system components may be used.

2.7.1 Input

At block 502, a forwarder receives data from an input source, such as adata source 202 shown in FIG. 2 . A forwarder initially may receive thedata as a raw data stream generated by the input source. For example, aforwarder may receive a data stream from a log file generated by anapplication server, from a stream of network data from a network device,or from any other source of data. In some embodiments, a forwarderreceives the raw data and may segment the data stream into “blocks”,possibly of a uniform data size, to facilitate subsequent processingsteps.

At block 504, a forwarder or other system component annotates each blockgenerated from the raw data with one or more metadata fields. Thesemetadata fields may, for example, provide information related to thedata block as a whole and may apply to each event that is subsequentlyderived from the data in the data block. For example, the metadatafields may include separate fields specifying each of a host, a source,and a source type related to the data block. A host field may contain avalue identifying a host name or IP address of a device that generatedthe data. A source field may contain a value identifying a source of thedata, such as a pathname of a file or a protocol and port related toreceived network data. A source type field may contain a valuespecifying a particular source type label for the data. Additionalmetadata fields may also be included during the input phase, such as acharacter encoding of the data, if known, and possibly other values thatprovide information relevant to later processing steps. In someembodiments, a forwarder forwards the annotated data blocks to anothersystem component (typically an indexer) for further processing.

The data intake and query system allows forwarding of data from one dataintake and query instance to another, or even to a third-party system.The data intake and query system can employ different types offorwarders in a configuration.

In some embodiments, a forwarder may contain the essential componentsneeded to forward data. A forwarder can gather data from a variety ofinputs and forward the data to an indexer for indexing and searching. Aforwarder can also tag metadata (e.g., source, source type, host, etc.).

In some embodiments, a forwarder has the capabilities of theaforementioned forwarder as well as additional capabilities. Theforwarder can parse data before forwarding the data (e.g., can associatea time stamp with a portion of data and create an event, etc.) and canroute data based on criteria such as source or type of event. Theforwarder can also index data locally while forwarding the data toanother indexer.

2.7.2 Parsing

At block 506, an indexer receives data blocks from a forwarder andparses the data to organize the data into events. In some embodiments,to organize the data into events, an indexer may determine a source typeassociated with each data block (e.g., by extracting a source type labelfrom the metadata fields associated with the data block, etc.) and referto a source type configuration corresponding to the identified sourcetype. The source type definition may include one or more properties thatindicate to the indexer to automatically determine the boundaries withinthe received data that indicate the portions of machine data for events.In general, these properties may include regular expression-based rulesor delimiter rules where, for example, event boundaries may be indicatedby predefined characters or character strings. These predefinedcharacters may include punctuation marks or other special charactersincluding, for example, carriage returns, tabs, spaces, line breaks,etc. If a source type for the data is unknown to the indexer, an indexermay infer a source type for the data by examining the structure of thedata. Then, the indexer can apply an inferred source type definition tothe data to create the events.

At block 508, the indexer determines a timestamp for each event. Similarto the process for parsing machine data, an indexer may again refer to asource type definition associated with the data to locate one or moreproperties that indicate instructions for determining a timestamp foreach event. The properties may, for example, instruct an indexer toextract a time value from a portion of data for the event, tointerpolate time values based on timestamps associated with temporallyproximate events, to create a timestamp based on a time the portion ofmachine data was received or generated, to use the timestamp of aprevious event, or use any other rules for determining timestamps.

At block 510, the indexer associates with each event one or moremetadata fields including a field containing the timestamp determinedfor the event. In some embodiments, a timestamp may be included in themetadata fields. These metadata fields may include any number of“default fields” that are associated with all events, and may alsoinclude one more custom fields as defined by a user. Similar to themetadata fields associated with the data blocks at block 504, thedefault metadata fields associated with each event may include a host,source, and source type field including or in addition to a fieldstoring the timestamp.

At block 512, an indexer may optionally apply one or moretransformations to data included in the events created at block 506. Forexample, such transformations can include removing a portion of an event(e.g., a portion used to define event boundaries, extraneous charactersfrom the event, other extraneous text, etc.), masking a portion of anevent (e.g., masking a credit card number), removing redundant portionsof an event, etc. The transformations applied to events may, forexample, be specified in one or more configuration files and referencedby one or more source type definitions.

FIG. 5C illustrates an illustrative example of machine data can bestored in a data store in accordance with various disclosed embodiments.In other embodiments, machine data can be stored in a flat file in acorresponding bucket with an associated index file, such as a timeseries index or “TSIDX.” As such, the depiction of machine data andassociated metadata as rows and columns in the table of FIG. 5C ismerely illustrative and is not intended to limit the data format inwhich the machine data and metadata is stored in various embodimentsdescribed herein. In one particular embodiment, machine data can bestored in a compressed or encrypted formatted. In such embodiments, themachine data can be stored with or be associated with data thatdescribes the compression or encryption scheme with which the machinedata is stored. The information about the compression or encryptionscheme can be used to decompress or decrypt the machine data, and anymetadata with which it is stored, at search time.

As mentioned above, certain metadata, e.g., host 536, source 537, sourcetype 538 and timestamps 535 can be generated for each event, andassociated with a corresponding portion of machine data 539 when storingthe event data in a data store, e.g., data store 208. Any of themetadata can be extracted from the corresponding machine data, orsupplied or defined by an entity, such as a user or computer system. Themetadata fields can become part of or stored with the event. Note thatwhile the time-stamp metadata field can be extracted from the raw dataof each event, the values for the other metadata fields may bedetermined by the indexer based on information it receives pertaining tothe source of the data separate from the machine data.

While certain default or user-defined metadata fields can be extractedfrom the machine data for indexing purposes, all the machine data withinan event can be maintained in its original condition. As such, inembodiments in which the portion of machine data included in an event isunprocessed or otherwise unaltered, it is referred to herein as aportion of raw machine data. In other embodiments, the port of machinedata in an event can be processed or otherwise altered. As such, unlesscertain information needs to be removed for some reasons (e.g.extraneous information, confidential information), all the raw machinedata contained in an event can be preserved and saved in its originalform. Accordingly, the data store in which the event records are storedis sometimes referred to as a “raw record data store.” The raw recorddata store contains a record of the raw event data tagged with thevarious default fields.

In FIG. 5C, the first three rows of the table represent events 531, 532,and 533 and are related to a server access log that records requestsfrom multiple clients processed by a server, as indicated by entry of“access.log” in the source column 536.

In the example shown in FIG. 5C, each of the events 531-534 isassociated with a discrete request made from a client device. The rawmachine data generated by the server and extracted from a server accesslog can include the IP address of the client 540, the user id of theperson requesting the document 541, the time the server finishedprocessing the request 542, the request line from the client 543, thestatus code returned by the server to the client 545, the size of theobject returned to the client (in this case, the gif file requested bythe client) 546 and the time spent to serve the request in microseconds544. As seen in FIG. 5C, all the raw machine data retrieved from theserver access log is retained and stored as part of the correspondingevents, 1221, 1222, and 1223 in the data store.

Event 534 is associated with an entry in a server error log, asindicated by “error.log” in the source column 537, that records errorsthat the server encountered when processing a client request. Similar tothe events related to the server access log, all the raw machine data inthe error log file pertaining to event 534 can be preserved and storedas part of the event 534.

Saving minimally processed or unprocessed machine data in a data storeassociated with metadata fields in the manner similar to that shown inFIG. 5C is advantageous because it allows search of all the machine dataat search time instead of searching only previously specified andidentified fields or field-value pairs. As mentioned above, because datastructures used by various embodiments of the present disclosuremaintain the underlying raw machine data and use a late-binding schemafor searching the raw machines data, it enables a user to continueinvestigating and learn valuable insights about the raw data. In otherwords, the user is not compelled to know about all the fields ofinformation that will be needed at data ingestion time. As a user learnsmore about the data in the events, the user can continue to refine thelate-binding schema by defining new extraction rules, or modifying ordeleting existing extraction rules used by the system.

2.7.3 Indexing

At blocks 514 and 516, an indexer can optionally generate a keywordindex to facilitate fast keyword searching for events. To build akeyword index, at block 514, the indexer identifies a set of keywords ineach event. At block 516, the indexer includes the identified keywordsin an index, which associates each stored keyword with referencepointers to events containing that keyword (or to locations withinevents where that keyword is located, other location identifiers, etc.).When an indexer subsequently receives a keyword-based query, the indexercan access the keyword index to quickly identify events containing thekeyword.

In some embodiments, the keyword index may include entries for fieldname-value pairs found in events, where a field name-value pair caninclude a pair of keywords connected by a symbol, such as an equals signor colon. This way, events containing these field name-value pairs canbe quickly located. In some embodiments, fields can automatically begenerated for some or all of the field names of the field name-valuepairs at the time of indexing. For example, if the string“dest=10.0.1.2” is found in an event, a field named “dest” may becreated for the event, and assigned a value of “10.0.1.2”.

At block 518, the indexer stores the events with an associated timestampin a data store 208. Timestamps enable a user to search for events basedon a time range. In some embodiments, the stored events are organizedinto “buckets,” where each bucket stores events associated with aspecific time range based on the timestamps associated with each event.This improves time-based searching, as well as allows for events withrecent timestamps, which may have a higher likelihood of being accessed,to be stored in a faster memory to facilitate faster retrieval. Forexample, buckets containing the most recent events can be stored inflash memory rather than on a hard disk. In some embodiments, eachbucket may be associated with an identifier, a time range, and a sizeconstraint.

Each indexer 206 may be responsible for storing and searching a subsetof the events contained in a corresponding data store 208. Bydistributing events among the indexers and data stores, the indexers cananalyze events for a query in parallel. For example, using map-reducetechniques, each indexer returns partial responses for a subset ofevents to a search head that combines the results to produce an answerfor the query. By storing events in buckets for specific time ranges, anindexer may further optimize the data retrieval process by searchingbuckets corresponding to time ranges that are relevant to a query.

In some embodiments, each indexer has a home directory and a colddirectory. The home directory of an indexer stores hot buckets and warmbuckets, and the cold directory of an indexer stores cold buckets. A hotbucket is a bucket that is capable of receiving and storing events. Awarm bucket is a bucket that can no longer receive events for storagebut has not yet been moved to the cold directory. A cold bucket is abucket that can no longer receive events and may be a bucket that waspreviously stored in the home directory. The home directory may bestored in faster memory, such as flash memory, as events may be activelywritten to the home directory, and the home directory may typicallystore events that are more frequently searched and thus are accessedmore frequently. The cold directory may be stored in slower and/orlarger memory, such as a hard disk, as events are no longer beingwritten to the cold directory, and the cold directory may typicallystore events that are not as frequently searched and thus are accessedless frequently. In some embodiments, an indexer may also have aquarantine bucket that contains events having potentially inaccurateinformation, such as an incorrect time stamp associated with the eventor a time stamp that appears to be an unreasonable time stamp for thecorresponding event. The quarantine bucket may have events from any timerange; as such, the quarantine bucket may always be searched at searchtime. Additionally, an indexer may store old, archived data in a frozenbucket that is not capable of being searched at search time. In someembodiments, a frozen bucket may be stored in slower and/or largermemory, such as a hard disk, and may be stored in offline and/or remotestorage.

Moreover, events and buckets can also be replicated across differentindexers and data stores to facilitate high availability and disasterrecovery as described in U.S. Pat. No. 9,130,971, entitled “Site-BasedSearch Affinity”, issued on 8 Sep. 2015, and in U.S. patent Ser. No.14/266,817, entitled “Multi-Site Clustering”, issued on 1 Sep. 2015,each of which is hereby incorporated by reference in its entirety forall purposes.

FIG. 5B is a block diagram of an example data store 501 that includes adirectory for each index (or partition) that contains a portion of datamanaged by an indexer. FIG. 5B further illustrates details of anembodiment of an inverted index 507B and an event reference array 515associated with inverted index 507B.

The data store 501 can correspond to a data store 208 that stores eventsmanaged by an indexer 206 or can correspond to a different data storeassociated with an indexer 206. In the illustrated embodiment, the datastore 501 includes a_main directory 503 associated with a _main indexand a _test directory 505 associated with a _test index. However, thedata store 501 can include fewer or more directories. In someembodiments, multiple indexes can share a single directory or allindexes can share a common directory. Additionally, although illustratedas a single data store 501, it will be understood that the data store501 can be implemented as multiple data stores storing differentportions of the information shown in FIG. 5B. For example, a singleindex or partition can span multiple directories or multiple datastores, and can be indexed or searched by multiple correspondingindexers.

In the illustrated embodiment of FIG. 5B, the index-specific directories503 and 505 include inverted indexes 507A, 507B and 509A, 509B,respectively. The inverted indexes 507A . . . 507B, and 509A . . . 509Bcan be keyword indexes or field-value pair indexes described herein andcan include less or more information that depicted in FIG. 5B.

In some embodiments, the inverted index 507A . . . 507B, and 509A . . .509B can correspond to a distinct time-series bucket that is managed bythe indexer 206 and that contains events corresponding to the relevantindex (e.g., _main index, _test index). As such, each inverted index cancorrespond to a particular range of time for an index. Additional files,such as high performance indexes for each time-series bucket of anindex, can also be stored in the same directory as the inverted indexes507A . . . 507B, and 509A . . . 509B. In some embodiments inverted index507A . . . 507B, and 509A . . . 509B can correspond to multipletime-series buckets or inverted indexes 507A . . . 507B, and 509A . . .509B can correspond to a single time-series bucket.

Each inverted index 507A . . . 507B, and 509A . . . 509B can include oneor more entries, such as keyword (or token) entries or field-value pairentries. Furthermore, in certain embodiments, the inverted indexes 507A. . . 507B, and 509A . . . 509B can include additional information, suchas a time range 523 associated with the inverted index or an indexidentifier 525 identifying the index associated with the inverted index507A . . . 507B, and 509A . . . 509B. However, each inverted index 507A. . . 507B, and 509A . . . 509B can include less or more informationthan depicted.

Token entries, such as token entries 511 illustrated in inverted index507B, can include a token 511A (e.g., “error,” “itemID,” etc.) and eventreferences 511B indicative of events that include the token. Forexample, for the token “error,” the corresponding token entry includesthe token “error” and an event reference, or unique identifier, for eachevent stored in the corresponding time-series bucket that includes thetoken “error.” In the illustrated embodiment of FIG. 5B, the error tokenentry includes the identifiers 3, 5, 6, 8, 11, and 12 corresponding toevents managed by the indexer 206 and associated with the index _main503 that are located in the time-series bucket associated with theinverted index 507B.

In some cases, some token entries can be default entries, automaticallydetermined entries, or user specified entries. In some embodiments, theindexer 206 can identify each word or string in an event as a distincttoken and generate a token entry for it. In some cases, the indexer 206can identify the beginning and ending of tokens based on punctuation,spaces, as described in greater detail herein. In certain cases, theindexer 206 can rely on user input or a configuration file to identifytokens for token entries 511, etc. It will be understood that anycombination of token entries can be included as a default, automaticallydetermined, or included based on user-specified criteria.

Similarly, field-value pair entries, such as field-value pair entries513 shown in inverted index 507B, can include a field-value pair 513Aand event references 513B indicative of events that include a fieldvalue that corresponds to the field-value pair. For example, for afield-value pair sourcetype::sendmail, a field-value pair entry wouldinclude the field-value pair sourcetype::sendmail and a uniqueidentifier, or event reference, for each event stored in thecorresponding time-series bucket that includes a sendmail sourcetype.

In some cases, the field-value pair entries 513 can be default entries,automatically determined entries, or user specified entries. As anon-limiting example, the field-value pair entries for the fields host,source, sourcetype can be included in the inverted indexes 507A . . .507B, and 509A . . . 509B as a default. As such, all of the invertedindexes 507A . . . 507B, and 509A . . . 509B can include field-valuepair entries for the fields host, source, sourcetype. As yet anothernon-limiting example, the field-value pair entries for the IP addressfield can be user specified and may only appear in the inverted index507B based on user-specified criteria. As another non-limiting example,as the indexer indexes the events, it can automatically identifyfield-value pairs and create field-value pair entries. For example,based on the indexers review of events, it can identify IP_address as afield in each event and add the IP address field-value pair entries tothe inverted index 507B. It will be understood that any combination offield-value pair entries can be included as a default, automaticallydetermined, or included based on user-specified criteria.

Each unique identifier 517, or event reference, can correspond to aunique event located in the time series bucket. However, the same eventreference can be located in multiple entries. For example if an eventhas a sourcetype splunkd, host www1 and token “warning,” then the uniqueidentifier for the event will appear in the field-value pair entriessourcetype::splunkd and host::www1, as well as the token entry“warning.” With reference to the illustrated embodiment of FIG. 5B andthe event that corresponds to the event reference 3, the event reference3 is found in the field-value pair entries 513 host::hostA,source::sourceB, sourcetype::sourcetypeA, and IP_address::91.205.189.15indicating that the event corresponding to the event references is fromhostA, sourceB, of sourcetypeA, and includes 91.205.189.15 in the eventdata.

For some fields, the unique identifier is located in only onefield-value pair entry for a particular field. For example, the invertedindex may include four sourcetype field-value pair entries correspondingto four different sourcetypes of the events stored in a bucket (e.g.,sourcetypes: sendmail, splunkd, web_access, and web_service). Withinthose four sourcetype field-value pair entries, an identifier for aparticular event may appear in only one of the field-value pair entries.With continued reference to the example illustrated embodiment of FIG.5B, since the event reference 7 appears in the field-value pair entrysourcetype::sourcetypeA, then it does not appear in the otherfield-value pair entries for the sourcetype field, includingsourcetype::sourcetypeB, sourcetype::sourcetypeC, andsourcetype::sourcetypeD.

The event references 517 can be used to locate the events in thecorresponding bucket. For example, the inverted index can include, or beassociated with, an event reference array 515. The event reference array515 can include an array entry 517 for each event reference in theinverted index 507B. Each array entry 517 can include locationinformation 519 of the event corresponding to the unique identifier(non-limiting example: seek address of the event), a timestamp 521associated with the event, or additional information regarding the eventassociated with the event reference, etc.

For each token entry 511 or field-value pair entry 513, the eventreference 501Bor unique identifiers can be listed in chronological orderor the value of the event reference can be assigned based onchronological data, such as a timestamp associated with the eventreferenced by the event reference. For example, the event reference 1 inthe illustrated embodiment of FIG. 5B can correspond to thefirst-in-time event for the bucket, and the event reference 12 cancorrespond to the last-in-time event for the bucket. However, the eventreferences can be listed in any order, such as reverse chronologicalorder, ascending order, descending order, or some other order, etc.Further, the entries can be sorted. For example, the entries can besorted alphabetically (collectively or within a particular group), byentry origin (e.g., default, automatically generated, user-specified,etc.), by entry type (e.g., field-value pair entry, token entry, etc.),or chronologically by when added to the inverted index, etc. In theillustrated embodiment of FIG. 5B, the entries are sorted first by entrytype and then alphabetically.

As a non-limiting example of how the inverted indexes 507A . . . 507B,and 509A . . . 509B can be used during a data categorization requestcommand, the indexers can receive filter criteria indicating data thatis to be categorized and categorization criteria indicating how the datais to be categorized. Example filter criteria can include, but is notlimited to, indexes (or partitions), hosts, sources, sourcetypes, timeranges, field identifier, keywords, etc.

Using the filter criteria, the indexer identifies relevant invertedindexes to be searched. For example, if the filter criteria includes aset of partitions, the indexer can identify the inverted indexes storedin the directory corresponding to the particular partition as relevantinverted indexes. Other means can be used to identify inverted indexesassociated with a partition of interest. For example, in someembodiments, the indexer can review an entry in the inverted indexes,such as an index-value pair entry 513 to determine if a particularinverted index is relevant. If the filter criteria does not identify anypartition, then the indexer can identify all inverted indexes managed bythe indexer as relevant inverted indexes.

Similarly, if the filter criteria includes a time range, the indexer canidentify inverted indexes corresponding to buckets that satisfy at leasta portion of the time range as relevant inverted indexes. For example,if the time range is last hour then the indexer can identify allinverted indexes that correspond to buckets storing events associatedwith timestamps within the last hour as relevant inverted indexes.

When used in combination, an index filter criterion specifying one ormore partitions and a time range filter criterion specifying aparticular time range can be used to identify a subset of invertedindexes within a particular directory (or otherwise associated with aparticular partition) as relevant inverted indexes. As such, the indexercan focus the processing to only a subset of the total number ofinverted indexes that the indexer manages.

Once the relevant inverted indexes are identified, the indexer canreview them using any additional filter criteria to identify events thatsatisfy the filter criteria. In some cases, using the known location ofthe directory in which the relevant inverted indexes are located, theindexer can determine that any events identified using the relevantinverted indexes satisfy an index filter criterion. For example, if thefilter criteria includes a partition main, then the indexer candetermine that any events identified using inverted indexes within thepartition main directory (or otherwise associated with the partitionmain) satisfy the index filter criterion.

Furthermore, based on the time range associated with each invertedindex, the indexer can determine that that any events identified using aparticular inverted index satisfies a time range filter criterion. Forexample, if a time range filter criterion is for the last hour and aparticular inverted index corresponds to events within a time range of50 minutes ago to 35 minutes ago, the indexer can determine that anyevents identified using the particular inverted index satisfy the timerange filter criterion. Conversely, if the particular inverted indexcorresponds to events within a time range of 59 minutes ago to 62minutes ago, the indexer can determine that some events identified usingthe particular inverted index may not satisfy the time range filtercriterion.

Using the inverted indexes, the indexer can identify event references(and therefore events) that satisfy the filter criteria. For example, ifthe token “error” is a filter criterion, the indexer can track all eventreferences within the token entry “error.” Similarly, the indexer canidentify other event references located in other token entries orfield-value pair entries that match the filter criteria. The system canidentify event references located in all of the entries identified bythe filter criteria. For example, if the filter criteria include thetoken “error” and field-value pair sourcetype::web_ui, the indexer cantrack the event references found in both the token entry “error” and thefield-value pair entry sourcetype::web_ui. As mentioned previously, insome cases, such as when multiple values are identified for a particularfilter criterion (e.g., multiple sources for a source filter criterion),the system can identify event references located in at least one of theentries corresponding to the multiple values and in all other entriesidentified by the filter criteria. The indexer can determine that theevents associated with the identified event references satisfy thefilter criteria.

In some cases, the indexer can further consult a timestamp associatedwith the event reference to determine whether an event satisfies thefilter criteria. For example, if an inverted index corresponds to a timerange that is partially outside of a time range filter criterion, thenthe indexer can consult a timestamp associated with the event referenceto determine whether the corresponding event satisfies the time rangecriterion. In some embodiments, to identify events that satisfy a timerange, the indexer can review an array, such as the event referencearray 1614 that identifies the time associated with the events.Furthermore, as mentioned above using the known location of thedirectory in which the relevant inverted indexes are located (or otherindex identifier), the indexer can determine that any events identifiedusing the relevant inverted indexes satisfy the index filter criterion.

In some cases, based on the filter criteria, the indexer reviews anextraction rule. In certain embodiments, if the filter criteria includesa field name that does not correspond to a field-value pair entry in aninverted index, the indexer can review an extraction rule, which may belocated in a configuration file, to identify a field that corresponds toa field-value pair entry in the inverted index.

For example, the filter criteria includes a field name “sessionID” andthe indexer determines that at least one relevant inverted index doesnot include a field-value pair entry corresponding to the field namesessionID, the indexer can review an extraction rule that identifies howthe sessionID field is to be extracted from a particular host, source,or sourcetype (implicitly identifying the particular host, source, orsourcetype that includes a sessionID field). The indexer can replace thefield name “sessionID” in the filter criteria with the identified host,source, or sourcetype. In some cases, the field name “sessionID” may beassociated with multiples hosts, sources, or sourcetypes, in which case,all identified hosts, sources, and sourcetypes can be added as filtercriteria. In some cases, the identified host, source, or sourcetype canreplace or be appended to a filter criterion, or be excluded. Forexample, if the filter criteria includes a criterion for source S1 andthe “sessionID” field is found in source S2, the source S2 can replaceS1 in the filter criteria, be appended such that the filter criteriaincludes source S1 and source S2, or be excluded based on the presenceof the filter criterion source S1. If the identified host, source, orsourcetype is included in the filter criteria, the indexer can thenidentify a field-value pair entry in the inverted index that includes afield value corresponding to the identity of the particular host,source, or sourcetype identified using the extraction rule.

Once the events that satisfy the filter criteria are identified, thesystem, such as the indexer 206 can categorize the results based on thecategorization criteria. The categorization criteria can includecategories for grouping the results, such as any combination ofpartition, source, sourcetype, or host, or other categories or fields asdesired.

The indexer can use the categorization criteria to identifycategorization criteria-value pairs or categorization criteria values bywhich to categorize or group the results. The categorizationcriteria-value pairs can correspond to one or more field-value pairentries stored in a relevant inverted index, one or more index-valuepairs based on a directory in which the inverted index is located or anentry in the inverted index (or other means by which an inverted indexcan be associated with a partition), or other criteria-value pair thatidentifies a general category and a particular value for that category.The categorization criteria values can correspond to the value portionof the categorization criteria-value pair.

As mentioned, in some cases, the categorization criteria-value pairs cancorrespond to one or more field-value pair entries stored in therelevant inverted indexes. For example, the categorizationcriteria-value pairs can correspond to field-value pair entries of host,source, and sourcetype (or other field-value pair entry as desired). Forinstance, if there are ten different hosts, four different sources, andfive different sourcetypes for an inverted index, then the invertedindex can include ten host field-value pair entries, four sourcefield-value pair entries, and five sourcetype field-value pair entries.The indexer can use the nineteen distinct field-value pair entries ascategorization criteria-value pairs to group the results.

Specifically, the indexer can identify the location of the eventreferences associated with the events that satisfy the filter criteriawithin the field-value pairs, and group the event references based ontheir location. As such, the indexer can identify the particular fieldvalue associated with the event corresponding to the event reference.For example, if the categorization criteria include host and sourcetype,the host field-value pair entries and sourcetype field-value pairentries can be used as categorization criteria-value pairs to identifythe specific host and sourcetype associated with the events that satisfythe filter criteria.

In addition, as mentioned, categorization criteria-value pairs cancorrespond to data other than the field-value pair entries in therelevant inverted indexes. For example, if partition or index is used asa categorization criterion, the inverted indexes may not includepartition field-value pair entries. Rather, the indexer can identify thecategorization criteria-value pair associated with the partition basedon the directory in which an inverted index is located, information inthe inverted index, or other information that associates the invertedindex with the partition, etc. As such a variety of methods can be usedto identify the categorization criteria-value pairs from thecategorization criteria.

Accordingly based on the categorization criteria (and categorizationcriteria-value pairs), the indexer can generate groupings based on theevents that satisfy the filter criteria. As a non-limiting example, ifthe categorization criteria includes a partition and sourcetype, thenthe groupings can correspond to events that are associated with eachunique combination of partition and sourcetype. For instance, if thereare three different partitions and two different sourcetypes associatedwith the identified events, then the six different groups can be formed,each with a unique partition value-sourcetype value combination.Similarly, if the categorization criteria includes partition,sourcetype, and host and there are two different partitions, threesourcetypes, and five hosts associated with the identified events, thenthe indexer can generate up to thirty groups for the results thatsatisfy the filter criteria. Each group can be associated with a uniquecombination of categorization criteria-value pairs (e.g., uniquecombinations of partition value sourcetype value, and host value).

In addition, the indexer can count the number of events associated witheach group based on the number of events that meet the uniquecombination of categorization criteria for a particular group (or matchthe categorization criteria-value pairs for the particular group). Withcontinued reference to the example above, the indexer can count thenumber of events that meet the unique combination of partition,sourcetype, and host for a particular group.

Each indexer communicates the groupings to the search head. The searchhead can aggregate the groupings from the indexers and provide thegroupings for display. In some cases, the groups are displayed based onat least one of the host, source, sourcetype, or partition associatedwith the groupings. In some embodiments, the search head can furtherdisplay the groups based on display criteria, such as a display order ora sort order as described in greater detail above.

As a non-limiting example and with reference to FIG. 5B, consider arequest received by an indexer 206 that includes the following filtercriteria: keyword=error, partition=main, time range=3/1/1716:22.00.000-16:28.00.000, sourcetype=sourcetypeC, host=hostB, and thefollowing categorization criteria: source.

Based on the above criteria, the indexer 206 identifies _main directory503 and can ignore _test directory 505 and any other partition-specificdirectories. The indexer determines that inverted partition 507B is arelevant partition based on its location within the _main directory 503and the time range associated with it. For sake of simplicity in thisexample, the indexer 206 determines that no other inverted indexes inthe _main directory 503, such as inverted index 507A satisfy the timerange criterion.

Having identified the relevant inverted index 507B, the indexer reviewsthe token entries 511 and the field-value pair entries 513 to identifyevent references, or events, that satisfy all of the filter criteria.

With respect to the token entries 511, the indexer can review the errortoken entry and identify event references 3, 5, 6, 8, 11, 12, indicatingthat the term “error” is found in the corresponding events. Similarly,the indexer can identify event references 4, 5, 6, 8, 9, 10, 11 in thefield-value pair entry sourcetype::sourcetypeC and event references 2,5, 6, 8, 10, 11 in the field-value pair entry host::hostB. As the filtercriteria did not include a source or an IP_address field-value pair, theindexer can ignore those field-value pair entries.

In addition to identifying event references found in at least one tokenentry or field-value pair entry (e.g., event references 3, 4, 5, 6, 8,9, 10, 11, 12), the indexer can identify events (and corresponding eventreferences) that satisfy the time range criterion using the eventreference array 1614 (e.g., event references 2, 3, 4, 5, 6, 7, 8, 9,10). Using the information obtained from the inverted index 507B(including the event reference array 515), the indexer 206 can identifythe event references that satisfy all of the filter criteria (e.g.,event references 5, 6, 8).

Having identified the events (and event references) that satisfy all ofthe filter criteria, the indexer 206 can group the event referencesusing the received categorization criteria (source). In doing so, theindexer can determine that event references 5 and 6 are located in thefield-value pair entry source::sourceD (or have matching categorizationcriteria-value pairs) and event reference 8 is located in thefield-value pair entry source::sourceC. Accordingly, the indexer cangenerate a sourceC group having a count of one corresponding toreference 8 and a sourceD group having a count of two corresponding toreferences 5 and 6. This information can be communicated to the searchhead. In turn the search head can aggregate the results from the variousindexers and display the groupings. As mentioned above, in someembodiments, the groupings can be displayed based at least in part onthe categorization criteria, including at least one of host, source,sourcetype, or partition.

It will be understood that a change to any of the filter criteria orcategorization criteria can result in different groupings. As a onenon-limiting example, a request received by an indexer 206 that includesthe following filter criteria: partition=main, time range=3/1/17 3/1/1716:21:20.000-16:28:17.000, and the following categorization criteria:host, source, sourcetype would result in the indexer identifying eventreferences 1-12 as satisfying the filter criteria. The indexer wouldthen generate up to 24 groupings corresponding to the 24 differentcombinations of the categorization criteria-value pairs, including host(hostA, hostB), source (sourceA, sourceB, sourceC, sourceD), andsourcetype (sourcetypeA, sourcetypeB, sourcetypeC). However, as thereare only twelve events identifiers in the illustrated embodiment andsome fall into the same grouping, the indexer generates eight groups andcounts as follows:

Group 1 (hostA, sourceA, sourcetypeA): 1 (event reference 7)

Group 2 (hostA, sourceA, sourcetypeB): 2 (event references 1, 12)

Group 3 (hostA, sourceA, sourcetypeC): 1 (event reference 4)

Group 4 (hostA, sourceB, sourcetypeA): 1 (event reference 3)

Group 5 (hostA, sourceB, sourcetypeC): 1 (event reference 9)

Group 6 (hostB, sourceC, sourcetypeA): 1 (event reference 2)

Group 7 (hostB, sourceC, sourcetypeC): 2 (event references 8, 11)

Group 8 (hostB, sourceD, sourcetypeC): 3 (event references 5, 6, 10)

As noted, each group has a unique combination of categorizationcriteria-value pairs or categorization criteria values. The indexercommunicates the groups to the search head for aggregation with resultsreceived from other indexers. In communicating the groups to the searchhead, the indexer can include the categorization criteria-value pairsfor each group and the count. In some embodiments, the indexer caninclude more or less information. For example, the indexer can includethe event references associated with each group and other identifyinginformation, such as the indexer or inverted index used to identify thegroups.

As another non-limiting examples, a request received by an indexer 206that includes the following filter criteria: partition=main, timerange=3/1/17 3/1/17 16:21:20.000-16:28:17.000, source=sourceA, sourceD,and keyword=itemID and the following categorization criteria: host,source, sourcetype would result in the indexer identifying eventreferences 4, 7, and 10 as satisfying the filter criteria, and generatethe following groups:

Group 1 (hostA, sourceA, sourcetypeC): 1 (event reference 4)

Group 2 (hostA, sourceA, sourcetypeA): 1 (event reference 7)

Group 3 (hostB, sourceD, sourcetypeC): 1 (event references 10)

The indexer communicates the groups to the search head for aggregationwith results received from other indexers. As will be understand thereare myriad ways for filtering and categorizing the events and eventreferences. For example, the indexer can review multiple invertedindexes associated with a partition or review the inverted indexes ofmultiple partitions, and categorize the data using any one or anycombination of partition, host, source, sourcetype, or other category,as desired.

Further, if a user interacts with a particular group, the indexer canprovide additional information regarding the group. For example, theindexer can perform a targeted search or sampling of the events thatsatisfy the filter criteria and the categorization criteria for theselected group, also referred to as the filter criteria corresponding tothe group or filter criteria associated with the group.

In some cases, to provide the additional information, the indexer relieson the inverted index. For example, the indexer can identify the eventreferences associated with the events that satisfy the filter criteriaand the categorization criteria for the selected group and then use theevent reference array 515 to access some or all of the identifiedevents. In some cases, the categorization criteria values orcategorization criteria-value pairs associated with the group becomepart of the filter criteria for the review.

With reference to FIG. 5B for instance, suppose a group is displayedwith a count of six corresponding to event references 4, 5, 6, 8, 10, 11(i.e., event references 4, 5, 6, 8, 10, 11 satisfy the filter criteriaand are associated with matching categorization criteria values orcategorization criteria-value pairs) and a user interacts with the group(e.g., selecting the group, clicking on the group, etc.). In response,the search head communicates with the indexer to provide additionalinformation regarding the group.

In some embodiments, the indexer identifies the event referencesassociated with the group using the filter criteria and thecategorization criteria for the group (e.g., categorization criteriavalues or categorization criteria-value pairs unique to the group).Together, the filter criteria and the categorization criteria for thegroup can be referred to as the filter criteria associated with thegroup. Using the filter criteria associated with the group, the indexeridentifies event references 4, 5, 6, 8, 10, 11.

Based on a sampling criteria, discussed in greater detail above, theindexer can determine that it will analyze a sample of the eventsassociated with the event references 4, 5, 6, 8, 10, 11. For example,the sample can include analyzing event data associated with the eventreferences 5, 8, 10. In some embodiments, the indexer can use the eventreference array 1616 to access the event data associated with the eventreferences 5, 8, 10. Once accessed, the indexer can compile the relevantinformation and provide it to the search head for aggregation withresults from other indexers. By identifying events and sampling eventdata using the inverted indexes, the indexer can reduce the amount ofactual data this is analyzed and the number of events that are accessedin order to generate the summary of the group and provide a response inless time.

2.8 Query Processing

FIG. 6A is a flow diagram of an example method that illustrates how asearch head and indexers perform a search query, in accordance withexample embodiments. At block 602, a search head receives a search queryfrom a client. At block 604, the search head analyzes the search queryto determine what portion(s) of the query can be delegated to indexersand what portions of the query can be executed locally by the searchhead. At block 606, the search head distributes the determined portionsof the query to the appropriate indexers. In some embodiments, a searchhead cluster may take the place of an independent search head where eachsearch head in the search head cluster coordinates with peer searchheads in the search head cluster to schedule jobs, replicate searchresults, update configurations, fulfill search requests, etc. In someembodiments, the search head (or each search head) communicates with amaster node (also known as a cluster master, not shown in FIG. 2 ) thatprovides the search head with a list of indexers to which the searchhead can distribute the determined portions of the query. The masternode maintains a list of active indexers and can also designate whichindexers may have responsibility for responding to queries over certainsets of events. A search head may communicate with the master nodebefore the search head distributes queries to indexers to discover theaddresses of active indexers.

At block 608, the indexers to which the query was distributed, searchdata stores associated with them for events that are responsive to thequery. To determine which events are responsive to the query, theindexer searches for events that match the criteria specified in thequery. These criteria can include matching keywords or specific valuesfor certain fields. The searching operations at block 608 may use thelate-binding schema to extract values for specified fields from eventsat the time the query is processed. In some embodiments, one or morerules for extracting field values may be specified as part of a sourcetype definition in a configuration file. The indexers may then eithersend the relevant events back to the search head, or use the events todetermine a partial result, and send the partial result back to thesearch head.

At block 610, the search head combines the partial results and/or eventsreceived from the indexers to produce a final result for the query. Insome examples, the results of the query are indicative of performance orsecurity of the IT environment and may help improve the performance ofcomponents in the IT environment. This final result may comprisedifferent types of data depending on what the query requested. Forexample, the results can include a listing of matching events returnedby the query, or some type of visualization of the data from thereturned events. In another example, the final result can include one ormore calculated values derived from the matching events.

The results generated by the system 108 can be returned to a clientusing different techniques. For example, one technique streams resultsor relevant events back to a client in real-time as they are identified.Another technique waits to report the results to the client until acomplete set of results (which may include a set of relevant events or aresult based on relevant events) is ready to return to the client. Yetanother technique streams interim results or relevant events back to theclient in real-time until a complete set of results is ready, and thenreturns the complete set of results to the client. In another technique,certain results are stored as “search jobs” and the client may retrievethe results by referring the search jobs.

The search head can also perform various operations to make the searchmore efficient. For example, before the search head begins execution ofa query, the search head can determine a time range for the query and aset of common keywords that all matching events include. The search headmay then use these parameters to query the indexers to obtain a supersetof the eventual results. Then, during a filtering stage, the search headcan perform field-extraction operations on the superset to produce areduced set of search results. This speeds up queries, which may beparticularly helpful for queries that are performed on a periodic basis.

2.9 Pipelined Search Language

Various embodiments of the present disclosure can be implemented using,or in conjunction with, a pipelined command language. A pipelinedcommand language is a language in which a set of inputs or data isoperated on by a first command in a sequence of commands, and thensubsequent commands in the order they are arranged in the sequence. Suchcommands can include any type of functionality for operating on data,such as retrieving, searching, filtering, aggregating, processing,transmitting, and the like. As described herein, a query can thus beformulated in a pipelined command language and include any number ofordered or unordered commands for operating on data.

Splunk Processing Language (SPL) is an example of a pipelined commandlanguage in which a set of inputs or data is operated on by any numberof commands in a particular sequence. A sequence of commands, or commandsequence, can be formulated such that the order in which the commandsare arranged defines the order in which the commands are applied to aset of data or the results of an earlier executed command. For example,a first command in a command sequence can operate to search or filterfor specific data in particular set of data. The results of the firstcommand can then be passed to another command listed later in thecommand sequence for further processing.

In various embodiments, a query can be formulated as a command sequencedefined in a command line of a search UI. In some embodiments, a querycan be formulated as a sequence of SPL commands. Some or all of the SPLcommands in the sequence of SPL commands can be separated from oneanother by a pipe symbol “|”. In such embodiments, a set of data, suchas a set of events, can be operated on by a first SPL command in thesequence, and then a subsequent SPL command following a pipe symbol “|”after the first SPL command operates on the results produced by thefirst SPL command or other set of data, and so on for any additional SPLcommands in the sequence. As such, a query formulated using SPLcomprises a series of consecutive commands that are delimited by pipe“|” characters. The pipe character indicates to the system that theoutput or result of one command (to the left of the pipe) should be usedas the input for one of the subsequent commands (to the right of thepipe). This enables formulation of queries defined by a pipeline ofsequenced commands that refines or enhances the data at each step alongthe pipeline until the desired results are attained. Accordingly,various embodiments described herein can be implemented with SplunkProcessing Language (SPL) used in conjunction with the SPLUNK®ENTERPRISE system.

While a query can be formulated in many ways, a query can start with asearch command and one or more corresponding search terms at thebeginning of the pipeline. Such search terms can include any combinationof keywords, phrases, times, dates, Boolean expressions, fieldname-fieldvalue pairs, etc. that specify which results should be obtained from anindex. The results can then be passed as inputs into subsequent commandsin a sequence of commands by using, for example, a pipe character. Thesubsequent commands in a sequence can include directives for additionalprocessing of the results once it has been obtained from one or moreindexes. For example, commands may be used to filter unwantedinformation out of the results, extract more information, evaluate fieldvalues, calculate statistics, reorder the results, create an alert,create summary of the results, or perform some type of aggregationfunction. In some embodiments, the summary can include a graph, chart,metric, or other visualization of the data. An aggregation function caninclude analysis or calculations to return an aggregate value, such asan average value, a sum, a maximum value, a root mean square,statistical values, and the like.

Due to its flexible nature, use of a pipelined command language invarious embodiments is advantageous because it can perform “filtering”as well as “processing” functions. In other words, a single query caninclude a search command and search term expressions, as well asdata-analysis expressions. For example, a command at the beginning of aquery can perform a “filtering” step by retrieving a set of data basedon a condition (e.g., records associated with server response times ofless than 1 microsecond). The results of the filtering step can then bepassed to a subsequent command in the pipeline that performs a“processing” step (e.g. calculation of an aggregate value related to thefiltered events such as the average response time of servers withresponse times of less than 1 microsecond). Furthermore, the searchcommand can allow events to be filtered by keyword as well as fieldvalue criteria. For example, a search command can filter out all eventscontaining the word “warning” or filter out all events where a fieldvalue associated with a field “clientip” is “10.0.1.2.”

The results obtained or generated in response to a command in a querycan be considered a set of results data. The set of results data can bepassed from one command to another in any data format. In oneembodiment, the set of result data can be in the form of a dynamicallycreated table. Each command in a particular query can redefine the shapeof the table. In some implementations, an event retrieved from an indexin response to a query can be considered a row with a column for eachfield value. Columns contain basic information about the data and alsomay contain data that has been dynamically extracted at search time.

FIG. 6B provides a visual representation of the manner in which apipelined command language or query operates in accordance with thedisclosed embodiments. The query 630 can be inputted by the user into asearch. The query comprises a search, the results of which are piped totwo commands (namely, command 1 and command 2) that follow the searchstep.

Disk 622 represents the event data in the raw record data store.

When a user query is processed, a search step will precede other queriesin the pipeline in order to generate a set of events at block 640. Forexample, the query can comprise search terms “sourcetype=syslog ERROR”at the front of the pipeline as shown in FIG. 6B. Intermediate resultstable 624 shows fewer rows because it represents the subset of eventsretrieved from the index that matched the search terms“sourcetype=syslog ERROR” from search command 630. By way of furtherexample, instead of a search step, the set of events at the head of thepipeline may be generating by a call to a pre-existing inverted index(as will be explained later).

At block 642, the set of events generated in the first part of the querymay be piped to a query that searches the set of events for field-valuepairs or for keywords. For example, the second intermediate resultstable 626 shows fewer columns, representing the result of the topcommand, “top user” which may summarize the events into a list of thetop 10 users and may display the user, count, and percentage.

Finally, at block 644, the results of the prior stage can be pipelinedto another stage where further filtering or processing of the data canbe performed, e.g., preparing the data for display purposes, filteringthe data based on a condition, performing a mathematical calculationwith the data, etc. As shown in FIG. 6B, the “fields—percent” part ofcommand 630 removes the column that shows the percentage, thereby,leaving a final results table 628 without a percentage column. Indifferent embodiments, other query languages, such as the StructuredQuery Language (“SQL”), can be used to create a query.

2.10 Field Extraction

The search head 210 allows users to search and visualize eventsgenerated from machine data received from homogenous data sources. Thesearch head 210 also allows users to search and visualize eventsgenerated from machine data received from heterogeneous data sources.The search head 210 includes various mechanisms, which may additionallyreside in an indexer 206, for processing a query. A query language maybe used to create a query, such as any suitable pipelined querylanguage. For example, Splunk Processing Language (SPL) can be utilizedto make a query. SPL is a pipelined search language in which a set ofinputs is operated on by a first command in a command line, and then asubsequent command following the pipe symbol “|” operates on the resultsproduced by the first command, and so on for additional commands. Otherquery languages, such as the Structured Query Language (“SQL”), can beused to create a query.

In response to receiving the search query, search head 210 usesextraction rules to extract values for fields in the events beingsearched. The search head 210 obtains extraction rules that specify howto extract a value for fields from an event. Extraction rules cancomprise regex rules that specify how to extract values for the fieldscorresponding to the extraction rules. In addition to specifying how toextract field values, the extraction rules may also include instructionsfor deriving a field value by performing a function on a characterstring or value retrieved by the extraction rule. For example, anextraction rule may truncate a character string or convert the characterstring into a different data format. In some cases, the query itself canspecify one or more extraction rules.

The search head 210 can apply the extraction rules to events that itreceives from indexers 206. Indexers 206 may apply the extraction rulesto events in an associated data store 208. Extraction rules can beapplied to all the events in a data store or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the portions of machine datain the events and examining the data for one or more patterns ofcharacters, numbers, delimiters, etc., that indicate where the fieldbegins and, optionally, ends.

FIG. 7A is a diagram of an example scenario where a common customeridentifier is found among log data received from three disparate datasources, in accordance with example embodiments. In this example, a usersubmits an order for merchandise using a vendor's shopping applicationprogram 701 running on the user's system. In this example, the order wasnot delivered to the vendor's server due to a resource exception at thedestination server that is detected by the middleware code 702. The userthen sends a message to the customer support server 703 to complainabout the order failing to complete. The three systems 701, 702, and 703are disparate systems that do not have a common logging format. Theorder application 701 sends log data 704 to the data intake and querysystem in one format, the middleware code 702 sends error log data 705in a second format, and the support server 703 sends log data 706 in athird format.

Using the log data received at one or more indexers 206 from the threesystems, the vendor can uniquely obtain an insight into user activity,user experience, and system behavior. The search head 210 allows thevendor's administrator to search the log data from the three systemsthat one or more indexers 206 are responsible for searching, therebyobtaining correlated information, such as the order number andcorresponding customer ID number of the person placing the order. Thesystem also allows the administrator to see a visualization of relatedevents via a user interface. The administrator can query the search head210 for customer ID field value matches across the log data from thethree systems that are stored at the one or more indexers 206. Thecustomer ID field value exists in the data gathered from the threesystems, but the customer ID field value may be located in differentareas of the data given differences in the architecture of the systems.There is a semantic relationship between the customer ID field valuesgenerated by the three systems. The search head 210 requests events fromthe one or more indexers 206 to gather relevant events from the threesystems. The search head 210 then applies extraction rules to the eventsin order to extract field values that it can correlate. The search headmay apply a different extraction rule to each set of events from eachsystem when the event format differs among systems. In this example, theuser interface can display to the administrator the events correspondingto the common customer ID field values 707, 708, and 709, therebyproviding the administrator with insight into a customer's experience.

Note that query results can be returned to a client, a search head, orany other system component for further processing. In general, queryresults may include a set of one or more events, a set of one or morevalues obtained from the events, a subset of the values, statisticscalculated based on the values, a report containing the values, avisualization (e.g., a graph or chart) generated from the values, andthe like.

The search system enables users to run queries against the stored datato retrieve events that meet criteria specified in a query, such ascontaining certain keywords or having specific values in defined fields.FIG. 7B illustrates the manner in which keyword searches and fieldsearches are processed in accordance with disclosed embodiments.

If a user inputs a search query into search bar 1401 that includes onlykeywords (also known as “tokens”), e.g., the keyword “error” or“warning”, the query search engine of the data intake and query systemsearches for those keywords directly in the event data 722 stored in theraw record data store. Note that while FIG. 7B only illustrates fourevents, the raw record data store (corresponding to data store 208 inFIG. 2 ) may contain records for millions of events.

As disclosed above, an indexer can optionally generate a keyword indexto facilitate fast keyword searching for event data. The indexerincludes the identified keywords in an index, which associates eachstored keyword with reference pointers to events containing that keyword(or to locations within events where that keyword is located, otherlocation identifiers, etc.). When an indexer subsequently receives akeyword-based query, the indexer can access the keyword index to quicklyidentify events containing the keyword. For example, if the keyword“HTTP” was indexed by the indexer at index time, and the user searchesfor the keyword “HTTP”, events 713 to 715 will be identified based onthe results returned from the keyword index. As noted above, the indexcontains reference pointers to the events containing the keyword, whichallows for efficient retrieval of the relevant events from the rawrecord data store.

If a user searches for a keyword that has not been indexed by theindexer, the data intake and query system would nevertheless be able toretrieve the events by searching the event data for the keyword in theraw record data store directly as shown in FIG. 7B. For example, if auser searches for the keyword “frank”, and the name “frank” has not beenindexed at index time, the DATA INTAKE AND QUERY system will search theevent data directly and return the first event 713. Note that whetherthe keyword has been indexed at index time or not, in both cases the rawdata with the events 712 is accessed from the raw data record store toservice the keyword search. In the case where the keyword has beenindexed, the index will contain a reference pointer that will allow fora more efficient retrieval of the event data from the data store. If thekeyword has not been indexed, the search engine will need to searchthrough all the records in the data store to service the search.

In most cases, however, in addition to keywords, a user's search willalso include fields. The term “field” refers to a location in the eventdata containing one or more values for a specific data item. Often, afield is a value with a fixed, delimited position on a line, or a nameand value pair, where there is a single value to each field name. Afield can also be multivalued, that is, it can appear more than once inan event and have a different value for each appearance, e.g., emailaddress fields. Fields are searchable by the field name or fieldname-value pairs. Some examples of fields are “clientip” for IPaddresses accessing a web server, or the “From” and “To” fields in emailaddresses.

By way of further example, consider the search, “status=404”. Thissearch query finds events with “status” fields that have a value of“404.” When the search is run, the search engine does not look forevents with any other “status” value. It also does not look for eventscontaining other fields that share “404” as a value. As a result, thesearch returns a set of results that are more focused than if “404” hadbeen used in the search string as part of a keyword search. Note alsothat fields can appear in events as “key=value” pairs such as“user_name=Bob.” But in most cases, field values appear in fixed,delimited positions without identifying keys. For example, the datastore may contain events where the “user_name” value always appears byitself after the timestamp as illustrated by the following string:“November 15 09:33:22 johnmedlock.”

The data intake and query system advantageously allows for search timefield extraction. In other words, fields can be extracted from the eventdata at search time using late-binding schema as opposed to at dataingestion time, which was a major limitation of the prior art systems.

In response to receiving the search query, search head 210 usesextraction rules to extract values for the fields associated with afield or fields in the event data being searched. The search head 210obtains extraction rules that specify how to extract a value for certainfields from an event. Extraction rules can comprise regex rules thatspecify how to extract values for the relevant fields. In addition tospecifying how to extract field values, the extraction rules may alsoinclude instructions for deriving a field value by performing a functionon a character string or value retrieved by the extraction rule. Forexample, a transformation rule may truncate a character string, orconvert the character string into a different data format. In somecases, the query itself can specify one or more extraction rules.

FIG. 7B illustrates the manner in which configuration files may be usedto configure custom fields at search time in accordance with thedisclosed embodiments. In response to receiving a search query, the dataintake and query system determines if the query references a “field.”For example, a query may request a list of events where the “clientip”field equals “127.0.0.1.” If the query itself does not specify anextraction rule and if the field is not a metadata field, e.g., time,host, source, source type, etc., then in order to determine anextraction rule, the search engine may, in one or more embodiments, needto locate configuration file 712 during the execution of the search asshown in FIG. 7B.

Configuration file 712 may contain extraction rules for all the variousfields that are not metadata fields, e.g., the “clientip” field. Theextraction rules may be inserted into the configuration file in avariety of ways. In some embodiments, the extraction rules can compriseregular expression rules that are manually entered in by the user.Regular expressions match patterns of characters in text and are usedfor extracting custom fields in text.

In one or more embodiments, as noted above, a field extractor may beconfigured to automatically generate extraction rules for certain fieldvalues in the events when the events are being created, indexed, orstored, or possibly at a later time. In one embodiment, a user may beable to dynamically create custom fields by highlighting portions of asample event that should be extracted as fields using a graphical userinterface. The system would then generate a regular expression thatextracts those fields from similar events and store the regularexpression as an extraction rule for the associated field in theconfiguration file 712.

In some embodiments, the indexers may automatically discover certaincustom fields at index time and the regular expressions for those fieldswill be automatically generated at index time and stored as part ofextraction rules in configuration file 712. For example, fields thatappear in the event data as “key=value” pairs may be automaticallyextracted as part of an automatic field discovery process. Note thatthere may be several other ways of adding field definitions toconfiguration files in addition to the methods discussed herein.

The search head 210 can apply the extraction rules derived fromconfiguration file 1402 to event data that it receives from indexers206. Indexers 206 may apply the extraction rules from the configurationfile to events in an associated data store 208. Extraction rules can beapplied to all the events in a data store, or to a subset of the eventsthat have been filtered based on some criteria (e.g., event time stampvalues, etc.). Extraction rules can be used to extract one or morevalues for a field from events by parsing the event data and examiningthe event data for one or more patterns of characters, numbers,delimiters, etc., that indicate where the field begins and, optionally,ends.

In one more embodiments, the extraction rule in configuration file 712will also need to define the type or set of events that the rule appliesto. Because the raw record data store will contain events from multipleheterogeneous sources, multiple events may contain the same fields indifferent locations because of discrepancies in the format of the datagenerated by the various sources. Furthermore, certain events may notcontain a particular field at all. For example, event 719 also contains“clientip” field, however, the “clientip” field is in a different formatfrom events 713-715. To address the discrepancies in the format andcontent of the different types of events, the configuration file willalso need to specify the set of events that an extraction rule appliesto, e.g., extraction rule 716 specifies a rule for filtering by the typeof event and contains a regular expression for parsing out the fieldvalue. Accordingly, each extraction rule will pertain to only aparticular type of event. If a particular field, e.g., “clientip” occursin multiple events, each of those types of events would need its owncorresponding extraction rule in the configuration file 712 and each ofthe extraction rules would comprise a different regular expression toparse out the associated field value. The most common way to categorizeevents is by source type because events generated by a particular sourcecan have the same format.

The field extraction rules stored in configuration file 712 performsearch-time field extractions. For example, for a query that requests alist of events with source type “access_combined” where the “clientip”field equals “127.0.0.1,” the query search engine would first locate theconfiguration file 712 to retrieve extraction rule 716 that would allowit to extract values associated with the “clientip” field from the eventdata 720 “where the source type is “access_combined. After the“clientip” field has been extracted from all the events comprising the“clientip” field where the source type is “access_combined,” the querysearch engine can then execute the field criteria by performing thecompare operation to filter out the events where the “clientip” fieldequals “127.0.0.1.” In the example shown in FIG. 7B, events 713-715would be returned in response to the user query. In this manner, thesearch engine can service queries containing field criteria in additionto queries containing keyword criteria (as explained above).

The configuration file can be created during indexing. It may either bemanually created by the user or automatically generated with certainpredetermined field extraction rules. As discussed above, the events maybe distributed across several indexers, wherein each indexer may beresponsible for storing and searching a subset of the events containedin a corresponding data store. In a distributed indexer system, eachindexer would need to maintain a local copy of the configuration filethat is synchronized periodically across the various indexers.

The ability to add schema to the configuration file at search timeresults in increased efficiency. A user can create new fields at searchtime and simply add field definitions to the configuration file. As auser learns more about the data in the events, the user can continue torefine the late-binding schema by adding new fields, deleting fields, ormodifying the field extraction rules in the configuration file for usethe next time the schema is used by the system. Because the data intakeand query system maintains the underlying raw data and uses late-bindingschema for searching the raw data, it enables a user to continueinvestigating and learn valuable insights about the raw data long afterdata ingestion time.

The ability to add multiple field definitions to the configuration fileat search time also results in increased flexibility. For example,multiple field definitions can be added to the configuration file tocapture the same field across events generated by different sourcetypes. This allows the data intake and query system to search andcorrelate data across heterogeneous sources flexibly and efficiently.

Further, by providing the field definitions for the queried fields atsearch time, the configuration file 712 allows the record data store 712to be field searchable. In other words, the raw record data store 712can be searched using keywords as well as fields, wherein the fields aresearchable name/value pairings that distinguish one event from anotherand can be defined in configuration file 1402 using extraction rules. Incomparison to a search containing field names, a keyword search does notneed the configuration file and can search the event data directly asshown in FIG. 7B.

It should also be noted that any events filtered out by performing asearch-time field extraction using a configuration file can be furtherprocessed by directing the results of the filtering step to a processingstep using a pipelined search language. Using the prior example, a usercould pipeline the results of the compare step to an aggregate functionby asking the query search engine to count the number of events wherethe “clientip” field equals “127.0.0.1.”

2.11 Example Search Screen

FIG. 8A is an interface diagram of an example user interface for asearch screen 800, in accordance with example embodiments. Search screen800 includes a search bar 802 that accepts user input in the form of asearch string. It also includes a time range picker 812 that enables theuser to specify a time range for the search. For historical searches(e.g., searches based on a particular historical time range), the usercan select a specific time range, or alternatively a relative timerange, such as “today,” “yesterday” or “last week.” For real-timesearches (e.g., searches whose results are based on data received inreal-time), the user can select the size of a preceding time window tosearch for real-time events. Search screen 800 also initially maydisplay a “data summary” dialog as is illustrated in FIG. 8B thatenables the user to select different sources for the events, such as byselecting specific hosts and log files.

After the search is executed, the search screen 800 in FIG. 8A candisplay the results through search results tabs 804, wherein searchresults tabs 804 includes: an “events tab” that may display variousinformation about events returned by the search; a “statistics tab” thatmay display statistics about the search results; and a “visualizationtab” that may display various visualizations of the search results. Theevents tab illustrated in FIG. 8A may display a timeline graph 805 thatgraphically illustrates the number of events that occurred in one-hourintervals over the selected time range. The events tab also may displayan events list 808 that enables a user to view the machine data in eachof the returned events.

The events tab additionally may display a sidebar that is an interactivefield picker 806. The field picker 806 may be displayed to a user inresponse to the search being executed and allows the user to furtheranalyze the search results based on the fields in the events of thesearch results. The field picker 806 includes field names that referencefields present in the events in the search results. The field picker maydisplay any Selected Fields 820 that a user has pre-selected for display(e.g., host, source, sourcetype) and may also display any InterestingFields 822 that the system determines may be interesting to the userbased on pre-specified criteria (e.g., action, bytes, categoryid,clientip, date_hour, date_mday, date_minute, etc.). The field pickeralso provides an option to display field names for all the fieldspresent in the events of the search results using the All Fields control824.

Each field name in the field picker 806 has a value type identifier tothe left of the field name, such as value type identifier 826. A valuetype identifier identifies the type of value for the respective field,such as an “a” for fields that include literal values or a “#” forfields that include numerical values.

Each field name in the field picker also has a unique value count to theright of the field name, such as unique value count 828. The uniquevalue count indicates the number of unique values for the respectivefield in the events of the search results.

Each field name is selectable to view the events in the search resultsthat have the field referenced by that field name. For example, a usercan select the “host” field name, and the events shown in the eventslist 808 will be updated with events in the search results that have thefield that is reference by the field name “host.”

2.12 Data Models

A data model is a hierarchically structured search-time mapping ofsemantic knowledge about one or more datasets. It encodes the domainknowledge used to build a variety of specialized searches of thosedatasets. Those searches, in turn, can be used to generate reports.

A data model is composed of one or more “objects” (or “data modelobjects”) that define or otherwise correspond to a specific set of data.An object is defined by constraints and attributes. An object'sconstraints are search criteria that define the set of events to beoperated on by running a search having that search criteria at the timethe data model is selected. An object's attributes are the set of fieldsto be exposed for operating on that set of events generated by thesearch criteria.

Objects in data models can be arranged hierarchically in parent/childrelationships. Each child object represents a subset of the datasetcovered by its parent object. The top-level objects in data models arecollectively referred to as “root objects.”

Child objects have inheritance. Child objects inherit constraints andattributes from their parent objects and may have additional constraintsand attributes of their own. Child objects provide a way of filteringevents from parent objects. Because a child object may provide anadditional constraint in addition to the constraints it has inheritedfrom its parent object, the dataset it represents may be a subset of thedataset that its parent represents. For example, a first data modelobject may define a broad set of data pertaining to e-mail activitygenerally, and another data model object may define specific datasetswithin the broad dataset, such as a subset of the e-mail data pertainingspecifically to e-mails sent. For example, a user can simply select an“e-mail activity” data model object to access a dataset relating toe-mails generally (e.g., sent or received), or select an “e-mails sent”data model object (or data sub-model object) to access a datasetrelating to e-mails sent.

Because a data model object is defined by its constraints (e.g., a setof search criteria) and attributes (e.g., a set of fields), a data modelobject can be used to quickly search data to identify a set of eventsand to identify a set of fields to be associated with the set of events.For example, an “e-mails sent” data model object may specify a searchfor events relating to e-mails that have been sent, and specify a set offields that are associated with the events. Thus, a user can retrieveand use the “e-mails sent” data model object to quickly search sourcedata for events relating to sent e-mails, and may be provided with alisting of the set of fields relevant to the events in a user interfacescreen.

Examples of data models can include electronic mail, authentication,databases, intrusion detection, malware, application state, alerts,compute inventory, network sessions, network traffic, performance,audits, updates, vulnerabilities, etc. Data models and their objects canbe designed by knowledge managers in an organization, and they canenable downstream users to quickly focus on a specific set of data. Auser iteratively applies a model development tool (not shown in FIG. 8A)to prepare a query that defines a subset of events and assigns an objectname to that subset. A child subset is created by further limiting aquery that generated a parent subset.

Data definitions in associated schemas can be taken from the commoninformation model (CIM) or can be devised for a particular schema andoptionally added to the CIM. Child objects inherit fields from parentsand can include fields not present in parents. A model developer canselect fewer extraction rules than are available for the sourcesreturned by the query that defines events belonging to a model.Selecting a limited set of extraction rules can be a tool forsimplifying and focusing the data model, while allowing a userflexibility to explore the data subset. Development of a data model isfurther explained in U.S. Pat. Nos. 8,788,525 and 8,788,526, bothentitled “DATA MODEL FOR MACHINE DATA FOR SEMANTIC SEARCH”, both issuedon 22 Jul. 2014, U.S. Pat. No. 8,983,994, entitled “GENERATION OF A DATAMODEL FOR SEARCHING MACHINE DATA”, issued on 17 Mar. 2015, U.S. Pat. No.9,128,980, entitled “GENERATION OF A DATA MODEL APPLIED TO QUERIES”,issued on 8 Sep. 2015, and U.S. Pat. No. 9,589,012, entitled “GENERATIONOF A DATA MODEL APPLIED TO OBJECT QUERIES”, issued on 7 Mar. 2017, eachof which is hereby incorporated by reference in its entirety for allpurposes.

A data model can also include reports. One or more report formats can beassociated with a particular data model and be made available to runagainst the data model. A user can use child objects to design reportswith object datasets that already have extraneous data pre-filtered out.In some embodiments, the data intake and query system 108 provides theuser with the ability to produce reports (e.g., a table, chart,visualization, etc.) without having to enter SPL, SQL, or other querylanguage terms into a search screen. Data models are used as the basisfor the search feature.

Data models may be selected in a report generation interface. The reportgenerator supports drag-and-drop organization of fields to be summarizedin a report. When a model is selected, the fields with availableextraction rules are made available for use in the report. The user mayrefine and/or filter search results to produce more precise reports. Theuser may select some fields for organizing the report and select otherfields for providing detail according to the report organization. Forexample, “region” and “salesperson” are fields used for organizing thereport and sales data can be summarized (subtotaled and totaled) withinthis organization. The report generator allows the user to specify oneor more fields within events and apply statistical analysis on valuesextracted from the specified one or more fields. The report generatormay aggregate search results across sets of events and generatestatistics based on aggregated search results. Building reports usingthe report generation interface is further explained in U.S. patentapplication Ser. No. 14/503,335, entitled “GENERATING REPORTS FROMUNSTRUCTURED DATA”, filed on 30 Sep. 2014, and which is herebyincorporated by reference in its entirety for all purposes. Datavisualizations also can be generated in a variety of formats, byreference to the data model. Reports, data visualizations, and datamodel objects can be saved and associated with the data model for futureuse. The data model object may be used to perform searches of otherdata.

FIGS. 9-15 are interface diagrams of example report generation userinterfaces, in accordance with example embodiments. The reportgeneration process may be driven by a predefined data model object, suchas a data model object defined and/or saved via a reporting applicationor a data model object obtained from another source. A user can load asaved data model object using a report editor. For example, the initialsearch query and fields used to drive the report editor may be obtainedfrom a data model object. The data model object that is used to drive areport generation process may define a search and a set of fields. Uponloading of the data model object, the report generation process mayenable a user to use the fields (e.g., the fields defined by the datamodel object) to define criteria for a report (e.g., filters, splitrows/columns, aggregates, etc.) and the search may be used to identifyevents (e.g., to identify events responsive to the search) used togenerate the report. That is, for example, if a data model object isselected to drive a report editor, the graphical user interface of thereport editor may enable a user to define reporting criteria for thereport using the fields associated with the selected data model object,and the events used to generate the report may be constrained to theevents that match, or otherwise satisfy, the search constraints of theselected data model object.

The selection of a data model object for use in driving a reportgeneration may be facilitated by a data model object selectioninterface. FIG. 9 illustrates an example interactive data modelselection graphical user interface 900 of a report editor that maydisplay a listing of available data models 901. The user may select oneof the data models 902.

FIG. 10 illustrates an example data model object selection graphicaluser interface 1000 that may display available data objects 1001 for theselected data object model 902. The user may select one of the displayeddata model objects 1002 for use in driving the report generationprocess.

Once a data model object is selected by the user, a user interfacescreen 1100 shown in FIG. 11A may display an interactive listing ofautomatic field identification options 1101 based on the selected datamodel object. For example, a user may select one of the threeillustrated options (e.g., the “All Fields” option 1102, the “SelectedFields” option 1103, or the “Coverage” option (e.g., fields with atleast a specified % of coverage) 1104). If the user selects the “AllFields” option 1102, all of the fields identified from the events thatwere returned in response to an initial search query may be selected.That is, for example, all of the fields of the identified data modelobject fields may be selected. If the user selects the “Selected Fields”option 1103, only the fields from the fields of the identified datamodel object fields that are selected by the user may be used. If theuser selects the “Coverage” option 1104, only the fields of theidentified data model object fields meeting a specified coveragecriteria may be selected. A percent coverage may refer to the percentageof events returned by the initial search query that a given fieldappears in. Thus, for example, if an object dataset includes 10,000events returned in response to an initial search query, and the“avg_age” field appears in 854 of those 10,000 events, then the“avg_age” field would have a coverage of 8.54% for that object dataset.If, for example, the user selects the “Coverage” option and specifies acoverage value of 2%, only fields having a coverage value equal to orgreater than 2% may be selected. The number of fields corresponding toeach selectable option may be displayed in association with each option.For example, “97” displayed next to the “All Fields” option 1102indicates that 97 fields will be selected if the “All Fields” option isselected. The “3” displayed next to the “Selected Fields” option 1103indicates that 3 of the 97 fields will be selected if the “SelectedFields” option is selected. The “49” displayed next to the “Coverage”option 1104 indicates that 49 of the 97 fields (e.g., the 49 fieldshaving a coverage of 2% or greater) will be selected if the “Coverage”option is selected. The number of fields corresponding to the “Coverage”option may be dynamically updated based on the specified percent ofcoverage.

FIG. 11B illustrates an example graphical user interface screen 1105displaying the reporting application's “Report Editor” page. The screenmay display interactive elements for defining various elements of areport. For example, the page includes a “Filters” element 1106, a“Split Rows” element 1107, a “Split Columns” element 1108, and a “ColumnValues” element 1109. The page may include a list of search results1111. In this example, the Split Rows element 1107 is expanded,revealing a listing of fields 1110 that can be used to define additionalcriteria (e.g., reporting criteria). The listing of fields 1110 maycorrespond to the selected fields. That is, the listing of fields 1110may list only the fields previously selected, either automaticallyand/or manually by a user. FIG. 11C illustrates a formatting dialogue1112 that may be displayed upon selecting a field from the listing offields 1110. The dialogue can be used to format the display of theresults of the selection (e.g., label the column for the selected fieldto be displayed as “component”).

FIG. 11D illustrates an example graphical user interface screen 1105including a table of results 1113 based on the selected criteriaincluding splitting the rows by the “component” field. A column 1114having an associated count for each component listed in the table may bedisplayed that indicates an aggregate count of the number of times thatthe particular field-value pair (e.g., the value in a row for aparticular field, such as the value “BucketMover” for the field“component”) occurs in the set of events responsive to the initialsearch query.

FIG. 12 illustrates an example graphical user interface screen 1200 thatallows the user to filter search results and to perform statisticalanalysis on values extracted from specific fields in the set of events.In this example, the top ten product names ranked by price are selectedas a filter 1201 that causes the display of the ten most popularproducts sorted by price. Each row is displayed by product name andprice 1202. This results in each product displayed in a column labeled“product name” along with an associated price in a column labeled“price” 1206. Statistical analysis of other fields in the eventsassociated with the ten most popular products have been specified ascolumn values 1203. A count of the number of successful purchases foreach product is displayed in column 1204. These statistics may beproduced by filtering the search results by the product name, findingall occurrences of a successful purchase in a field within the eventsand generating a total of the number of occurrences. A sum of the totalsales is displayed in column 1205, which is a result of themultiplication of the price and the number of successful purchases foreach product.

The reporting application allows the user to create graphicalvisualizations of the statistics generated for a report. For example,FIG. 13 illustrates an example graphical user interface 1300 that maydisplay a set of components and associated statistics 1301. Thereporting application allows the user to select a visualization of thestatistics in a graph (e.g., bar chart, scatter plot, area chart, linechart, pie chart, radial gauge, marker gauge, filler gauge, etc.), wherethe format of the graph may be selected using the user interfacecontrols 1302 along the left panel of the user interface 1300. FIG. 14illustrates an example of a bar chart visualization 1400 of an aspect ofthe statistical data 1301. FIG. 15 illustrates a scatter plotvisualization 1500 of an aspect of the statistical data 1301.

2.13 Acceleration Technique

The above-described system provides significant flexibility by enablinga user to analyze massive quantities of minimally-processed data “on thefly” at search time using a late-binding schema, instead of storingpre-specified portions of the data in a database at ingestion time. Thisflexibility enables a user to see valuable insights, correlate data, andperform subsequent queries to examine interesting aspects of the datathat may not have been apparent at ingestion time.

However, performing extraction and analysis operations at search timecan involve a large amount of data and require a large number ofcomputational operations, which can cause delays in processing thequeries. Advantageously, the data intake and query system also employs anumber of unique acceleration techniques that have been developed tospeed up analysis operations performed at search time. These techniquesinclude: (1) performing search operations in parallel across multipleindexers; (2) using a keyword index; (3) using a high performanceanalytics store; and (4) accelerating the process of generating reports.These novel techniques are described in more detail below.

2.13.1 Aggregation Technique

To facilitate faster query processing, a query can be structured suchthat multiple indexers perform the query in parallel, while aggregationof search results from the multiple indexers is performed locally at thesearch head. For example, FIG. 16 is an example search query receivedfrom a client and executed by search peers, in accordance with exampleembodiments. FIG. 16 illustrates how a search query 1602 received from aclient at a search head 210 can split into two phases, including: (1)subtasks 1604 (e.g., data retrieval or simple filtering) that may beperformed in parallel by indexers 206 for execution, and (2) a searchresults aggregation operation 1606 to be executed by the search headwhen the results are ultimately collected from the indexers.

During operation, upon receiving search query 1602, a search head 210determines that a portion of the operations involved with the searchquery may be performed locally by the search head. The search headmodifies search query 1602 by substituting “stats” (create aggregatestatistics over results sets received from the indexers at the searchhead) with “prestats” (create statistics by the indexer from localresults set) to produce search query 1604, and then distributes searchquery 1604 to distributed indexers, which are also referred to as“search peers” or “peer indexers.” Note that search queries maygenerally specify search criteria or operations to be performed onevents that meet the search criteria. Search queries may also specifyfield names, as well as search criteria for the values in the fields oroperations to be performed on the values in the fields. Moreover, thesearch head may distribute the full search query to the search peers asillustrated in FIG. 6A, or may alternatively distribute a modifiedversion (e.g., a more restricted version) of the search query to thesearch peers. In this example, the indexers are responsible forproducing the results and sending them to the search head. After theindexers return the results to the search head, the search headaggregates the received results 1606 to form a single search result set.By executing the query in this manner, the system effectivelydistributes the computational operations across the indexers whileminimizing data transfers.

2.13.2 Keyword Index

As described above with reference to the flow charts in FIG. 5A and FIG.6A, data intake and query system 108 can construct and maintain one ormore keyword indices to quickly identify events containing specifickeywords. This technique can greatly speed up the processing of queriesinvolving specific keywords. As mentioned above, to build a keywordindex, an indexer first identifies a set of keywords. Then, the indexerincludes the identified keywords in an index, which associates eachstored keyword with references to events containing that keyword, or tolocations within events where that keyword is located. When an indexersubsequently receives a keyword-based query, the indexer can access thekeyword index to quickly identify events containing the keyword.

2.13.3 High Performance Analytics Store

To speed up certain types of queries, some embodiments of system 108create a high performance analytics store, which is referred to as a“summarization table,” that contains entries for specific field-valuepairs. Each of these entries keeps track of instances of a specificvalue in a specific field in the events and includes references toevents containing the specific value in the specific field. For example,an example entry in a summarization table can keep track of occurrencesof the value “94107” in a “ZIP code” field of a set of events and theentry includes references to all of the events that contain the value“94107” in the ZIP code field. This optimization technique enables thesystem to quickly process queries that seek to determine how many eventshave a particular value for a particular field. To this end, the systemcan examine the entry in the summarization table to count instances ofthe specific value in the field without having to go through theindividual events or perform data extractions at search time. Also, ifthe system needs to process all events that have a specific field-valuecombination, the system can use the references in the summarizationtable entry to directly access the events to extract further informationwithout having to search all of the events to find the specificfield-value combination at search time.

In some embodiments, the system maintains a separate summarization tablefor each of the above-described time-specific buckets that stores eventsfor a specific time range. A bucket-specific summarization tableincludes entries for specific field-value combinations that occur inevents in the specific bucket. Alternatively, the system can maintain aseparate summarization table for each indexer. The indexer-specificsummarization table includes entries for the events in a data store thatare managed by the specific indexer. Indexer-specific summarizationtables may also be bucket-specific.

The summarization table can be populated by running a periodic querythat scans a set of events to find instances of a specific field-valuecombination, or alternatively instances of all field-value combinationsfor a specific field. A periodic query can be initiated by a user, orcan be scheduled to occur automatically at specific time intervals. Aperiodic query can also be automatically launched in response to a querythat asks for a specific field-value combination.

In some cases, when the summarization tables may not cover all of theevents that are relevant to a query, the system can use thesummarization tables to obtain partial results for the events that arecovered by summarization tables, but may also have to search throughother events that are not covered by the summarization tables to produceadditional results. These additional results can then be combined withthe partial results to produce a final set of results for the query. Thesummarization table and associated techniques are described in moredetail in U.S. Pat. No. 8,682,925, entitled “Distributed HighPerformance Analytics Store”, issued on 25 Mar. 2014, U.S. Pat. No.9,128,985, entitled “SUPPLEMENTING A HIGH PERFORMANCE ANALYTICS STOREWITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO AN EVENT QUERY”,issued on 8 Sep. 2015, and U.S. patent application Ser. No. 14/815,973,entitled “GENERATING AND STORING SUMMARIZATION TABLES FOR SETS OFSEARCHABLE EVENTS”, filed on 1 Aug. 2015, each of which is herebyincorporated by reference in its entirety for all purposes.

To speed up certain types of queries, e.g., frequently encounteredqueries or computationally intensive queries, some embodiments of system108 create a high performance analytics store, which is referred to as a“summarization table,” (also referred to as a “lexicon” or “invertedindex”) that contains entries for specific field-value pairs. Each ofthese entries keeps track of instances of a specific value in a specificfield in the event data and includes references to events containing thespecific value in the specific field. For example, an example entry inan inverted index can keep track of occurrences of the value “94107” ina “ZIP code” field of a set of events and the entry includes referencesto all of the events that contain the value “94107” in the ZIP codefield. Creating the inverted index data structure avoids needing toincur the computational overhead each time a statistical query needs tobe run on a frequently encountered field-value pair. In order toexpedite queries, in most embodiments, the search engine will employ theinverted index separate from the raw record data store to generateresponses to the received queries.

Note that the term “summarization table” or “inverted index” as usedherein is a data structure that may be generated by an indexer thatincludes at least field names and field values that have been extractedand/or indexed from event records. An inverted index may also includereference values that point to the location(s) in the field searchabledata store where the event records that include the field may be found.Also, an inverted index may be stored using well-known compressiontechniques to reduce its storage size.

Further, note that the term “reference value” (also referred to as a“posting value”) as used herein is a value that references the locationof a source record in the field searchable data store. In someembodiments, the reference value may include additional informationabout each record, such as timestamps, record size, meta-data, or thelike. Each reference value may be a unique identifier which may be usedto access the event data directly in the field searchable data store. Insome embodiments, the reference values may be ordered based on eachevent record's timestamp. For example, if numbers are used asidentifiers, they may be sorted so event records having a latertimestamp always have a lower valued identifier than event records withan earlier timestamp, or vice-versa. Reference values are often includedin inverted indexes for retrieving and/or identifying event records.

In one or more embodiments, an inverted index is generated in responseto a user-initiated collection query. The term “collection query” asused herein refers to queries that include commands that generatesummarization information and inverted indexes (or summarization tables)from event records stored in the field searchable data store.

Note that a collection query is a special type of query that can beuser-generated and is used to create an inverted index. A collectionquery is not the same as a query that is used to call up or invoke apre-existing inverted index. In one or more embodiment, a query cancomprise an initial step that calls up a pre-generated inverted index onwhich further filtering and processing can be performed. For example,referring back to FIG. 13 , a set of events generated at block 1320 byeither using a “collection” query to create a new inverted index or bycalling up a pre-generated inverted index. A query with severalpipelined steps will start with a pre-generated index to accelerate thequery.

FIG. 7C illustrates the manner in which an inverted index is created andused in accordance with the disclosed embodiments. As shown in FIG. 7C,an inverted index 722 can be created in response to a user-initiatedcollection query using the event data 723 stored in the raw record datastore. For example, a non-limiting example of a collection query mayinclude “collect clientip=127.0.0.1” which may result in an invertedindex 722 being generated from the event data 723 as shown in FIG. 7C.Each entry in inverted index 722 includes an event reference value thatreferences the location of a source record in the field searchable datastore. The reference value may be used to access the original eventrecord directly from the field searchable data store.

In one or more embodiments, if one or more of the queries is acollection query, the responsive indexers may generate summarizationinformation based on the fields of the event records located in thefield searchable data store. In at least one of the various embodiments,one or more of the fields used in the summarization information may belisted in the collection query and/or they may be determined based onterms included in the collection query. For example, a collection querymay include an explicit list of fields to summarize. Or, in at least oneof the various embodiments, a collection query may include terms orexpressions that explicitly define the fields, e.g., using regex rules.In FIG. 7C, prior to running the collection query that generates theinverted index 722, the field name “clientip” may need to be defined ina configuration file by specifying the “access_combined” source type anda regular expression rule to parse out the client IP address.Alternatively, the collection query may contain an explicit definitionfor the field name “clientip” which may obviate the need to referencethe configuration file at search time.

In one or more embodiments, collection queries may be saved andscheduled to run periodically. These scheduled collection queries mayperiodically update the summarization information corresponding to thequery. For example, if the collection query that generates invertedindex 722 is scheduled to run periodically, one or more indexers wouldperiodically search through the relevant buckets to update invertedindex 722 with event data for any new events with the “clientip” valueof “127.0.0.1.”

In some embodiments, the inverted indexes that include fields, values,and reference value (e.g., inverted index 722) for event records may beincluded in the summarization information provided to the user. In otherembodiments, a user may not be interested in specific fields and valuescontained in the inverted index, but may need to perform a statisticalquery on the data in the inverted index. For example, referencing theexample of FIG. 7C rather than viewing the fields within summarizationtable 722, a user may want to generate a count of all client requestsfrom IP address “127.0.0.1.” In this case, the search engine wouldsimply return a result of “4” rather than including details about theinverted index 722 in the information provided to the user.

The pipelined search language, e.g., SPL of the SPLUNK® ENTERPRISEsystem can be used to pipe the contents of an inverted index to astatistical query using the “stats” command for example. A “stats” queryrefers to queries that generate result sets that may produce aggregateand statistical results from event records, e.g., average, mean, max,min, rms, etc. Where sufficient information is available in an invertedindex, a “stats” query may generate their result sets rapidly from thesummarization information available in the inverted index rather thandirectly scanning event records. For example, the contents of invertedindex 722 can be pipelined to a stats query, e.g., a “count” functionthat counts the number of entries in the inverted index and returns avalue of “4.” In this way, inverted indexes may enable various statsqueries to be performed absent scanning or search the event records.Accordingly, this optimization technique enables the system to quicklyprocess queries that seek to determine how many events have a particularvalue for a particular field. To this end, the system can examine theentry in the inverted index to count instances of the specific value inthe field without having to go through the individual events or performdata extractions at search time.

In some embodiments, the system maintains a separate inverted index foreach of the above-described time-specific buckets that stores events fora specific time range. A bucket-specific inverted index includes entriesfor specific field-value combinations that occur in events in thespecific bucket. Alternatively, the system can maintain a separateinverted index for each indexer. The indexer-specific inverted indexincludes entries for the events in a data store that are managed by thespecific indexer. Indexer-specific inverted indexes may also bebucket-specific. In at least one or more embodiments, if one or more ofthe queries is a stats query, each indexer may generate a partial resultset from previously generated summarization information. The partialresult sets may be returned to the search head that received the queryand combined into a single result set for the query

As mentioned above, the inverted index can be populated by running aperiodic query that scans a set of events to find instances of aspecific field-value combination, or alternatively instances of allfield-value combinations for a specific field. A periodic query can beinitiated by a user, or can be scheduled to occur automatically atspecific time intervals. A periodic query can also be automaticallylaunched in response to a query that asks for a specific field-valuecombination. In some embodiments, if summarization information is absentfrom an indexer that includes responsive event records, further actionsmay be taken, such as, the summarization information may generated onthe fly, warnings may be provided the user, the collection queryoperation may be halted, the absence of summarization information may beignored, or the like, or combination thereof.

In one or more embodiments, an inverted index may be set up to updatecontinually. For example, the query may ask for the inverted index toupdate its result periodically, e.g., every hour. In such instances, theinverted index may be a dynamic data structure that is regularly updatedto include information regarding incoming events.

In some cases, e.g., where a query is executed before an inverted indexupdates, when the inverted index may not cover all of the events thatare relevant to a query, the system can use the inverted index to obtainpartial results for the events that are covered by inverted index, butmay also have to search through other events that are not covered by theinverted index to produce additional results on the fly. In other words,an indexer would need to search through event data on the data store tosupplement the partial results. These additional results can then becombined with the partial results to produce a final set of results forthe query. Note that in typical instances where an inverted index is notcompletely up to date, the number of events that an indexer would needto search through to supplement the results from the inverted indexwould be relatively small. In other words, the search to get the mostrecent results can be quick and efficient because only a small number ofevent records will be searched through to supplement the informationfrom the inverted index. The inverted index and associated techniquesare described in more detail in U.S. Pat. No. 8,682,925, entitled“Distributed High Performance Analytics Store”, issued on 25 Mar. 2014,U.S. Pat. No. 9,128,985, entitled “SUPPLEMENTING A HIGH PERFORMANCEANALYTICS STORE WITH EVALUATION OF INDIVIDUAL EVENTS TO RESPOND TO ANEVENT QUERY”, filed on 31 Jan. 2014, and U.S. patent application Ser.No. 14/815,973, entitled “STORAGE MEDIUM AND CONTROL DEVICE”, filed on21 Feb. 2014, each of which is hereby incorporated by reference in itsentirety.

2.13.3.1 Extracting Event Data Using Posting

In one or more embodiments, if the system needs to process all eventsthat have a specific field-value combination, the system can use thereferences in the inverted index entry to directly access the events toextract further information without having to search all of the eventsto find the specific field-value combination at search time. In otherwords, the system can use the reference values to locate the associatedevent data in the field searchable data store and extract furtherinformation from those events, e.g., extract further field values fromthe events for purposes of filtering or processing or both.

The information extracted from the event data using the reference valuescan be directed for further filtering or processing in a query using thepipeline search language. The pipelined search language will, in oneembodiment, include syntax that can direct the initial filtering step ina query to an inverted index. In one embodiment, a user would includesyntax in the query that explicitly directs the initial searching orfiltering step to the inverted index.

Referencing the example in FIG. 15 , if the user determines that sheneeds the user id fields associated with the client requests from IPaddress “127.0.0.1,” instead of incurring the computational overhead ofperforming a brand new search or re-generating the inverted index withan additional field, the user can generate a query that explicitlydirects or pipes the contents of the already generated inverted index1502 to another filtering step requesting the user ids for the entriesin inverted index 1502 where the server response time is greater than“0.0900” microseconds. The search engine would use the reference valuesstored in inverted index 722 to retrieve the event data from the fieldsearchable data store, filter the results based on the “response time”field values and, further, extract the user id field from the resultingevent data to return to the user. In the present instance, the user ids“frank” and “carlos” would be returned to the user from the generatedresults table 722.

In one embodiment, the same methodology can be used to pipe the contentsof the inverted index to a processing step. In other words, the user isable to use the inverted index to efficiently and quickly performaggregate functions on field values that were not part of the initiallygenerated inverted index. For example, a user may want to determine anaverage object size (size of the requested gif) requested by clientsfrom IP address “127.0.0.1.” In this case, the search engine would againuse the reference values stored in inverted index 722 to retrieve theevent data from the field searchable data store and, further, extractthe object size field values from the associated events 731, 732, 733and 734. Once, the corresponding object sizes have been extracted (i.e.2326, 2900, 2920, and 5000), the average can be computed and returned tothe user.

In one embodiment, instead of explicitly invoking the inverted index ina user-generated query, e.g., by the use of special commands or syntax,the SPLUNK® ENTERPRISE system can be configured to automaticallydetermine if any prior-generated inverted index can be used to expeditea user query. For example, the user's query may request the averageobject size (size of the requested gif) requested by clients from IPaddress “127.0.0.1.” without any reference to or use of inverted index722. The search engine, in this case, would automatically determine thatan inverted index 722 already exists in the system that could expeditethis query. In one embodiment, prior to running any search comprising afield-value pair, for example, a search engine may search though all theexisting inverted indexes to determine if a pre-generated inverted indexcould be used to expedite the search comprising the field-value pair.Accordingly, the search engine would automatically use the pre-generatedinverted index, e.g., index 722 to generate the results without anyuser-involvement that directs the use of the index.

Using the reference values in an inverted index to be able to directlyaccess the event data in the field searchable data store and extractfurther information from the associated event data for further filteringand processing is highly advantageous because it avoids incurring thecomputation overhead of regenerating the inverted index with additionalfields or performing a new search.

The data intake and query system includes one or more forwarders thatreceive raw machine data from a variety of input data sources, and oneor more indexers that process and store the data in one or more datastores. By distributing events among the indexers and data stores, theindexers can analyze events for a query in parallel. In one or moreembodiments, a multiple indexer implementation of the search systemwould maintain a separate and respective inverted index for each of theabove-described time-specific buckets that stores events for a specifictime range. A bucket-specific inverted index includes entries forspecific field-value combinations that occur in events in the specificbucket. As explained above, a search head would be able to correlate andsynthesize data from across the various buckets and indexers.

This feature advantageously expedites searches because instead ofperforming a computationally intensive search in a centrally locatedinverted index that catalogues all the relevant events, an indexer isable to directly search an inverted index stored in a bucket associatedwith the time-range specified in the query. This allows the search to beperformed in parallel across the various indexers. Further, if the queryrequests further filtering or processing to be conducted on the eventdata referenced by the locally stored bucket-specific inverted index,the indexer is able to simply access the event records stored in theassociated bucket for further filtering and processing instead ofneeding to access a central repository of event records, which woulddramatically add to the computational overhead.

In one embodiment, there may be multiple buckets associated with thetime-range specified in a query. If the query is directed to an invertedindex, or if the search engine automatically determines that using aninverted index would expedite the processing of the query, the indexerswill search through each of the inverted indexes associated with thebuckets for the specified time-range. This feature allows the HighPerformance Analytics Store to be scaled easily.

In certain instances, where a query is executed before a bucket-specificinverted index updates, when the bucket-specific inverted index may notcover all of the events that are relevant to a query, the system can usethe bucket-specific inverted index to obtain partial results for theevents that are covered by bucket-specific inverted index, but may alsohave to search through the event data in the bucket associated with thebucket-specific inverted index to produce additional results on the fly.In other words, an indexer would need to search through event datastored in the bucket (that was not yet processed by the indexer for thecorresponding inverted index) to supplement the partial results from thebucket-specific inverted index.

FIG. 7D presents a flowchart illustrating how an inverted index in apipelined search query can be used to determine a set of event data thatcan be further limited by filtering or processing in accordance with thedisclosed embodiments.

At block 742, a query is received by a data intake and query system. Insome embodiments, the query can be received as a user generated queryentered into a search bar of a graphical user search interface. Thesearch interface also includes a time range control element that enablesspecification of a time range for the query.

At block 744, an inverted index is retrieved. Note, that the invertedindex can be retrieved in response to an explicit user search commandinputted as part of the user generated query. Alternatively, the searchengine can be configured to automatically use an inverted index if itdetermines that using the inverted index would expedite the servicing ofthe user generated query. Each of the entries in an inverted index keepstrack of instances of a specific value in a specific field in the eventdata and includes references to events containing the specific value inthe specific field. In order to expedite queries, in most embodiments,the search engine will employ the inverted index separate from the rawrecord data store to generate responses to the received queries.

At block 746, the query engine determines if the query contains furtherfiltering and processing steps. If the query contains no furthercommands, then, in one embodiment, summarization information can beprovided to the user at block 754.

If, however, the query does contain further filtering and processingcommands, then at block 750, the query engine determines if the commandsrelate to further filtering or processing of the data extracted as partof the inverted index or whether the commands are directed to using theinverted index as an initial filtering step to further filter andprocess event data referenced by the entries in the inverted index. Ifthe query can be completed using data already in the generated invertedindex, then the further filtering or processing steps, e.g., a “count”number of records function, “average” number of records per hour etc.are performed and the results are provided to the user at block 752.

If, however, the query references fields that are not extracted in theinverted index, then the indexers will access event data pointed to bythe reference values in the inverted index to retrieve any furtherinformation required at block 756. Subsequently, any further filteringor processing steps are performed on the fields extracted directly fromthe event data and the results are provided to the user at step 758.

2.13.3.2 Accelerating Report Generation

In some embodiments, a data server system such as the data intake andquery system can accelerate the process of periodically generatingupdated reports based on query results. To accelerate this process, asummarization engine automatically examines the query to determinewhether generation of updated reports can be accelerated by creatingintermediate summaries. If reports can be accelerated, the summarizationengine periodically generates a summary covering data obtained during alatest non-overlapping time period. For example, where the query seeksevents meeting a specified criteria, a summary for the time periodincludes only events within the time period that meet the specifiedcriteria. Similarly, if the query seeks statistics calculated from theevents, such as the number of events that match the specified criteria,then the summary for the time period includes the number of events inthe period that match the specified criteria.

In addition to the creation of the summaries, the summarization engineschedules the periodic updating of the report associated with the query.During each scheduled report update, the query engine determines whetherintermediate summaries have been generated covering portions of the timeperiod covered by the report update. If so, then the report is generatedbased on the information contained in the summaries. Also, if additionalevent data has been received and has not yet been summarized, and isrequired to generate the complete report, the query can be run on theseadditional events. Then, the results returned by this query on theadditional events, along with the partial results obtained from theintermediate summaries, can be combined to generate the updated report.This process is repeated each time the report is updated. Alternatively,if the system stores events in buckets covering specific time ranges,then the summaries can be generated on a bucket-by-bucket basis. Notethat producing intermediate summaries can save the work involved inre-running the query for previous time periods, so advantageously onlythe newer events needs to be processed while generating an updatedreport. These report acceleration techniques are described in moredetail in U.S. Pat. No. 8,589,403, entitled “Compressed Journaling InEvent Tracking Files For Metadata Recovery And Replication”, issued on19 Nov. 2013, U.S. Pat. No. 8,412,696, entitled “Real Time Searching AndReporting”, issued on 2 Apr. 2011, and U.S. Pat. Nos. 8,589,375 and8,589,432, both also entitled “REAL TIME SEARCHING AND REPORTING”, bothissued on 19 Nov. 2013, each of which is hereby incorporated byreference in its entirety for all purposes.

2.14 Security Features

The data intake and query system provides various schemas, dashboards,and visualizations that simplify developers' tasks to createapplications with additional capabilities. One such application is thean enterprise security application, such as SPLUNK® ENTERPRISE SECURITY,which performs monitoring and alerting operations and includes analyticsto facilitate identifying both known and unknown security threats basedon large volumes of data stored by the data intake and query system. Theenterprise security application provides the security practitioner withvisibility into security-relevant threats found in the enterpriseinfrastructure by capturing, monitoring, and reporting on data fromenterprise security devices, systems, and applications. Through the useof the data intake and query system searching and reportingcapabilities, the enterprise security application provides a top-downand bottom-up view of an organization's security posture.

The enterprise security application leverages the data intake and querysystem search-time normalization techniques, saved searches, andcorrelation searches to provide visibility into security-relevantthreats and activity and generate notable events for tracking. Theenterprise security application enables the security practitioner toinvestigate and explore the data to find new or unknown threats that donot follow signature-based patterns.

Conventional Security Information and Event Management (STEM) systemslack the infrastructure to effectively store and analyze large volumesof security-related data. Traditional SIEM systems typically use fixedschemas to extract data from pre-defined security-related fields at dataingestion time and store the extracted data in a relational database.This traditional data extraction process (and associated reduction indata size) that occurs at data ingestion time inevitably hampers futureincident investigations that may need original data to determine theroot cause of a security issue, or to detect the onset of an impendingsecurity threat.

In contrast, the enterprise security application system stores largevolumes of minimally-processed security-related data at ingestion timefor later retrieval and analysis at search time when a live securitythreat is being investigated. To facilitate this data retrieval process,the enterprise security application provides pre-specified schemas forextracting relevant values from the different types of security-relatedevents and enables a user to define such schemas.

The enterprise security application can process many types ofsecurity-related information. In general, this security-relatedinformation can include any information that can be used to identifysecurity threats. For example, the security-related information caninclude network-related information, such as IP addresses, domain names,asset identifiers, network traffic volume, uniform resource locatorstrings, and source addresses. The process of detecting security threatsfor network-related information is further described in U.S. Pat. No.8,826,434, entitled “SECURITY THREAT DETECTION BASED ON INDICATIONS INBIG DATA OF ACCESS TO NEWLY REGISTERED DOMAINS”, issued on 2 Sep. 2014,U.S. Pat. No. 9,215,240, entitled “INVESTIGATIVE AND DYNAMIC DETECTIONOF POTENTIAL SECURITY-THREAT INDICATORS FROM EVENTS IN BIG DATA”, issuedon 15 Dec. 2015, U.S. Pat. No. 9,173,801, entitled “GRAPHIC DISPLAY OFSECURITY THREATS BASED ON INDICATIONS OF ACCESS TO NEWLY REGISTEREDDOMAINS”, issued on 3 Nov. 2015, U.S. Pat. No. 9,248,068, entitled“SECURITY THREAT DETECTION OF NEWLY REGISTERED DOMAINS”, issued on 2Feb. 2016, U.S. Pat. No. 9,426,172, entitled “SECURITY THREAT DETECTIONUSING DOMAIN NAME ACCESSES”, issued on 23 Aug. 2016, and U.S. Pat. No.9,432,396, entitled “SECURITY THREAT DETECTION USING DOMAIN NAMEREGISTRATIONS”, issued on 30 Aug. 2016, each of which is herebyincorporated by reference in its entirety for all purposes.Security-related information can also include malware infection data andsystem configuration information, as well as access control information,such as login/logout information and access failure notifications. Thesecurity-related information can originate from various sources within adata center, such as hosts, virtual machines, storage devices andsensors. The security-related information can also originate fromvarious sources in a network, such as routers, switches, email servers,proxy servers, gateways, firewalls and intrusion-detection systems.

During operation, the enterprise security application facilitatesdetecting “notable events” that are likely to indicate a securitythreat. A notable event represents one or more anomalous incidents, theoccurrence of which can be identified based on one or more events (e.g.,time stamped portions of raw machine data) fulfilling pre-specifiedand/or dynamically-determined (e.g., based on machine-learning) criteriadefined for that notable event. Examples of notable events include therepeated occurrence of an abnormal spike in network usage over a periodof time, a single occurrence of unauthorized access to system, a hostcommunicating with a server on a known threat list, and the like. Thesenotable events can be detected in a number of ways, such as: (1) a usercan notice a correlation in events and can manually identify that acorresponding group of one or more events amounts to a notable event; or(2) a user can define a “correlation search” specifying criteria for anotable event, and every time one or more events satisfy the criteria,the application can indicate that the one or more events correspond to anotable event; and the like. A user can alternatively select apre-defined correlation search provided by the application. Note thatcorrelation searches can be run continuously or at regular intervals(e.g., every hour) to search for notable events. Upon detection, notableevents can be stored in a dedicated “notable events index,” which can besubsequently accessed to generate various visualizations containingsecurity-related information. Also, alerts can be generated to notifysystem operators when important notable events are discovered.

The enterprise security application provides various visualizations toaid in discovering security threats, such as a “key indicators view”that enables a user to view security metrics, such as counts ofdifferent types of notable events. For example, FIG. 17A illustrates anexample key indicators view 1700 that comprises a dashboard, which candisplay a value 1701, for various security-related metrics, such asmalware infections 1702. It can also display a change in a metric value1703, which indicates that the number of malware infections increased by63 during the preceding interval. Key indicators view 1700 additionallydisplays a histogram panel 1704 that displays a histogram of notableevents organized by urgency values, and a histogram of notable eventsorganized by time intervals. This key indicators view is described infurther detail in pending U.S. patent application Ser. No. 13/956,338,entitled “Key Indicators View”, filed on 31 Jul. 2013, and which ishereby incorporated by reference in its entirety for all purposes.

These visualizations can also include an “incident review dashboard”that enables a user to view and act on “notable events.” These notableevents can include: (1) a single event of high importance, such as anyactivity from a known web attacker; or (2) multiple events thatcollectively warrant review, such as a large number of authenticationfailures on a host followed by a successful authentication. For example,FIG. 17B illustrates an example incident review dashboard 1710 thatincludes a set of incident attribute fields 1711 that, for example,enables a user to specify a time range field 1712 for the displayedevents. It also includes a timeline 1713 that graphically illustratesthe number of incidents that occurred in time intervals over theselected time range. It additionally displays an events list 1714 thatenables a user to view a list of all of the notable events that matchthe criteria in the incident attributes fields 1711. To facilitateidentifying patterns among the notable events, each notable event can beassociated with an urgency value (e.g., low, medium, high, critical),which is indicated in the incident review dashboard. The urgency valuefor a detected event can be determined based on the severity of theevent and the priority of the system component associated with theevent.

2.15 Data Center Monitoring

As mentioned above, the data intake and query platform provides variousfeatures that simplify the developers' task to create variousapplications. One such application is a virtual machine monitoringapplication, such as SPLUNK® APP FOR VMWARE® that provides operationalvisibility into granular performance metrics, logs, tasks and events,and topology from hosts, virtual machines and virtual centers. Itempowers administrators with an accurate real-time picture of the healthof the environment, proactively identifying performance and capacitybottlenecks.

Conventional data-center-monitoring systems lack the infrastructure toeffectively store and analyze large volumes of machine-generated data,such as performance information and log data obtained from the datacenter. In conventional data-center-monitoring systems,machine-generated data is typically pre-processed prior to being stored,for example, by extracting pre-specified data items and storing them ina database to facilitate subsequent retrieval and analysis at searchtime. However, the rest of the data is not saved and discarded duringpre-processing.

In contrast, the virtual machine monitoring application stores largevolumes of minimally processed machine data, such as performanceinformation and log data, at ingestion time for later retrieval andanalysis at search time when a live performance issue is beinginvestigated. In addition to data obtained from various log files, thisperformance-related information can include values for performancemetrics obtained through an application programming interface (API)provided as part of the vSphere Hypervisor™ system distributed byVMware, Inc. of Palo Alto, Calif. For example, these performance metricscan include: (1) CPU-related performance metrics; (2) disk-relatedperformance metrics; (3) memory-related performance metrics; (4)network-related performance metrics; (5) energy-usage statistics; (6)data-traffic-related performance metrics; (7) overall systemavailability performance metrics; (8) cluster-related performancemetrics; and (9) virtual machine performance statistics. Suchperformance metrics are described in U.S. patent application Ser. No.14/167,316, entitled “Correlation For User-Selected Time Ranges OfValues For Performance Metrics Of Components In AnInformation-Technology Environment With Log Data From ThatInformation-Technology Environment”, filed on 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

To facilitate retrieving information of interest from performance dataand log files, the virtual machine monitoring application providespre-specified schemas for extracting relevant values from differenttypes of performance-related events, and also enables a user to definesuch schemas.

The virtual machine monitoring application additionally provides variousvisualizations to facilitate detecting and diagnosing the root cause ofperformance problems. For example, one such visualization is a“proactive monitoring tree” that enables a user to easily view andunderstand relationships among various factors that affect theperformance of a hierarchically structured computing system. Thisproactive monitoring tree enables a user to easily navigate thehierarchy by selectively expanding nodes representing various entities(e.g., virtual centers or computing clusters) to view performanceinformation for lower-level nodes associated with lower-level entities(e.g., virtual machines or host systems). Example node-expansionoperations are illustrated in FIG. 17C, wherein nodes 1733 and 1734 areselectively expanded. Note that nodes 1731-1739 can be displayed usingdifferent patterns or colors to represent different performance states,such as a critical state, a warning state, a normal state or anunknown/offline state. The ease of navigation provided by selectiveexpansion in combination with the associated performance-stateinformation enables a user to quickly diagnose the root cause of aperformance problem. The proactive monitoring tree is described infurther detail in U.S. Pat. No. 9,185,007, entitled “PROACTIVEMONITORING TREE WITH SEVERITY STATE SORTING”, issued on 10 Nov. 2015,and U.S. Pat. No. 9,426,045, also entitled “PROACTIVE MONITORING TREEWITH SEVERITY STATE SORTING”, issued on 23 Aug. 2016, each of which ishereby incorporated by reference in its entirety for all purposes.

The virtual machine monitoring application also provides a userinterface that enables a user to select a specific time range and thenview heterogeneous data comprising events, log data, and associatedperformance metrics for the selected time range. For example, the screenillustrated in FIG. 17D displays a listing of recent “tasks and events”and a listing of recent “log entries” for a selected time range above aperformance-metric graph for “average CPU core utilization” for theselected time range. Note that a user is able to operate pull-down menus1742 to selectively display different performance metric graphs for theselected time range. This enables the user to correlate trends in theperformance-metric graph with corresponding event and log data toquickly determine the root cause of a performance problem. This userinterface is described in more detail in U.S. patent application Ser.No. 14/167,316, entitled “Correlation For User-Selected Time Ranges OfValues For Performance Metrics Of Components In AnInformation-Technology Environment With Log Data From ThatInformation-Technology Environment”, filed on 29 Jan. 2014, and which ishereby incorporated by reference in its entirety for all purposes.

3.0 Device Associated Data Retrieval System

FIG. 18A illustrates network architecture of that enables securecommunications between client devices 404 (e.g., 404(1), 404(2), etc.)and an on-premises environment 1860 for data intake and query system108, in accordance with example embodiments. As described above, a usermay install and configure, on computing devices owned and operated bythe user, one or more software applications that implement some or allof the data intake and query system 108. For example, a user may installa software application on server computers owned by the user andconfigure each server to operate as one or more of a forwarder, anindexer, a search head, etc. This arrangement generally may be referredto as an “on-premises” solution. An on-premises solution may provide agreater level of control over the configuration of certain aspects ofthe system (e.g., security, privacy, standards, controls, etc.).

In various embodiments, cloud-based data intake and query system 306,executing in cloud environment 1805, may serve as a secure bridgebetween extended reality application 1814 and an on-premises environment1860. In other implementations, the on-premises environment 1860 may beomitted and the entire computational process may be carried out in oneor more aspects or components of cloud environment 1805. In variousembodiments, cloud environment 1805 may include cloud-based data intakeand query system 306, which communicates with data intake and querysystem 108 via network 304. Cloud environment 1805 may further includemiddleware code 1852 and/or push notification service 1854, whichcommunicate with extended reality application 1814 via network 420. Invarious embodiments, network 304 and network 420 may be the same networkor may include one or more shared network components that communicatewith both network 304 and network 420. In various embodiments, dataintake and query system 108 may communicate with network interface 1808of client device 404 through use of a mobile gateway that facilitatescommunication between devices behind a firewall, or set of firewalls,without requiring additional port openings.

In various embodiments, client device 404 retrieves data and displaysthe retrieved data via extended reality application 1814 and/or mobileoperations application 1816. For example, client device 404 send a queryto data intake and query system 108 in order to receive a response thatincludes a set of field values. These field values, extracted fromevents, could be associated with data included in the query. In variousembodiments, client device 404 and/or data intake and query system 108may generate content (e.g., schemas, dashboards, cards, and/orvisualizations) based on the extracted field values.

In various embodiments, an object may have a tag that encodes orotherwise includes data. The data in the tag includes a textual and/ornumerical string that operates as a unique identifier (UID). The tag isprovided by an entity that owns or operates the environment in which theobject resides. Client device 404 scans tags associated with an object,decodes data included in the tag, determines the unique identifier fromthe decoded data and uses the unique identifier to receive field values,extracted from events, which are associated with the object. In variousembodiments, client device 404 and/or data intake and query system 108may generate content (e.g., schemas, dashboards, cards, and/orvisualizations) based on the extracted field values.

Extended reality application 1814 and/or mobile operations application1816 executing on client device 404 may establish secure, bidirectionalcommunications with data intake and query system 108. For example, insome embodiments, a persistent, always-open, asynchronous socket forbidirectional communications (e.g., a trusted tunnel bridge) through afirewall of on-premises environment 1860 could be established betweendata intake and query system 108 and cloud-based data intake and querysystem 306. Cloud-based data intake and query system 306 may thencommunicate with extended reality application 1814 and/or mobileoperations application 1816 via middleware code 1852 executing in cloudenvironment 1805.

Additionally, in some embodiments, cloud-based data intake and querysystem 306 and/or middleware code 1852 may communicate with extendedreality application 1814 and/or mobile operations application 1816 via apush notification service 1854, such as Apple Push Notification service(APNs) or Google Cloud Messaging (GCM). For example, data intake andquery system 108 could, based on the unique identifier, output to one ormore client devices 404 content that includes real-time data associatedwith a particular object. The content may then be displayed by clientdevice 404. For example, mobile operations application 1816 coulddisplay the content in a window provided by client device 404. In someembodiments, extended reality application 1814 displays the content inrelation to the real-world object, in conjunction with an augmentedreality workspace, as discussed below in further detail. Additionally oralternatively, various playbooks, insights, predictions, annotations,and/or runbooks that include set of commands and/or simple logic trees(e.g., if-then-else) associated with an object and possible actions(e.g., “if the operating temperature is above 100 degrees Celsius, thenshow options for activating fans”) may be implemented and/or displayedto the user.

In some embodiments, in order to authenticate an instance of extendedreality application 1814 and/or mobile operations application 1816associated with a particular user and/or client device 404, extendedreality application 1814 and/or mobile operations application 1816 maycause a unique identifier associated with the user and/or client device404 to be displayed on a display device (e.g., on a display of clientdevice 404). The user may then register the unique identifier withcloud-based data intake and query system 306 and/or data intake andquery system 108, such as by entering the unique identifier into a userinterface (e.g., a web portal) associated with cloud-based data intakeand query system 306 or data intake and query system 108. In response,extended reality application 1814 and/or mobile operations application1816 may receive credentials that can be used to access real-time dataoutputted by data intake and query system 108. Additional queriestransmitted by client device 404 to data intake and query system 108 maythen implement the credentials associated with the unique identifier. Inthis manner, secure, bidirectional communications may be establishedbetween client device 404 and data intake and query system 108.

Once the communications connection is established, a user may causeclient device to acquire data based on a tag affixed to or otherwiseassociated with a given object. For example, client device 404 couldscan a tag affixed to a given object and may decode the tag to retrievea unique object identifier (ID) from the tag that corresponds to theparticular object. Once client device 404 obtains the unique object ID,client device transmits queries to data intake and query system 108requesting one or more values associated with the object. For example,client device 404 could send a request for specific field values for theobject. Client device 404 could include the unique object ID in therequest sent to data intake and query system 108. In response, dataintake and query system 108 may retrieve events associated with theunique object ID and may use extraction rules to extract values forfields in the events being searched, where the extracted values includethe requested field values. Data intake and query system 108 thentransmits the field values associated with the unique object ID toclient device 404. In various embodiments, data intake and query system108 may transmit the raw data retrieved from the field values includedin the event data. Alternatively, data intake and query system 108 mayfilter, aggregate, or otherwise process the raw data prior totransmitting the field values. For example, in some embodiments, dataintake and query system 108 may generate a dashboard associated with theunique object ID. The dashboard may include a filtered subset of datavalues, where the subset of data values is filtered based on additionalcriteria, such as user role (e.g., a user role identifier value),location, type of device (e.g., whether client device 404-1 is a smartphone, tablet, AR headset, etc.), and/or time.

Extended reality application 1814 receives the field values from dataintake and query system 108, where the field values represent the valuesof one or more metrics associated with the unique object ID. In animplementation, the field values are extracted from fields that aredefined post-ingestion (e.g., at search time), as has been previouslydescribed (e.g., with a late-binding schema). The field valuestransmitted by data intake and query system 108 may be in anytechnically-feasible format.

In various embodiments, data intake and query system 108 generates adashboard that includes one or more visualizations of the underlyingtextual and/or numerical information based on the retrieved fieldvalues. In various embodiments, mobile operations application 1816 maydisplay one or more visualizations included in the dashboard receivedfrom data intake and query system 108. Additionally or alternatively,extended reality application 1814 generates an AR workspace thatincludes one or more panels, where the one or more panels include thevisualizations included in the dashboard as a portion of an ARworkspace. In some embodiments, the dashboard may also include a portionof the field values as a data set. In such instances, extended realityapplication 1814 and/or mobile operations application 1816 may generatevisualizations based on the field values included in the data set.

FIG. 18B illustrates a more detailed view of the example networkedcomputer environment 100 of FIG. 1 , in accordance with exampleembodiments. As shown, the networked computer environment 1801 mayinclude, without limitation, data intake and query system 108 and clientdevice 404 communicating with one another over one or more networks 420.Data intake and query system 108 and client device 404 functionsubstantially the same as described in conjunction with FIGS. 1 and 4 ,except as further described herein. Examples of client device 404 mayinclude, without limitation, a mobile device (e.g., a smartphone, atablet computer, a handheld computer, a wearable device, a portablemedia player, a virtual reality (VR) console, an augmented reality (AR)console, a laptop computer, etc.), a desktop computer, a server, agaming device, a streaming device (e.g., an Apple TV® device, a Roku®device, etc.), and so forth. Client device 404 may include, withoutlimitation, processor 1802, storage 1804, input/output (I/O) deviceinterface 1806, network interface 1808, interconnect 1810, and systemmemory 1812. System memory 1812 includes extended reality application1814, mobile operations application 1816, and database 1818.

In general, processor 1802 may retrieve and execute programminginstructions stored in system memory 1812. Processor 1802 may be anytechnically-feasible form of processing device configured to processdata and execute program code. Processor 1802 could be, for example, acentral processing unit (CPU), a graphics processing unit (GPU), anapplication-specific integrated circuit (ASIC), a field-programmablegate array (FPGA), and so forth. Processor 1802 stores and retrievesapplication data residing in the system memory 1812. Processor 1802 isincluded to be representative of a single CPU, multiple CPUs, a singleCPU having multiple processing cores, and the like. In operation,processor 1802 is the master processor of client device 404, controllingand coordinating operations of other system components.

System memory 1812 stores software application programs and data for useby processor 1802. For example, system memory 1812 could include,without limitation, extended reality application 1814, mobile operationsapplication 1816, and/or database 1818. Processor 1802 executes softwareapplication programs stored within system memory 1812 and optionally anoperating system. In particular, processor 1802 executes software andthen performs one or more of the functions and operations set forth inthe present application.

The storage 1804 may be a disk drive storage device. Although shown as asingle unit, the storage 1804 may be a combination of fixed and/orremovable storage devices, such as fixed disc drives, floppy discdrives, tape drives, removable memory cards, or optical storage, networkattached storage (NAS), or a storage area-network (SAN). Processor 1802communicates to other computing devices and systems via networkinterface 1808, where network interface 1808 is configured to transmitand receive data via one or more communications networks 420.

Interconnect 1810 facilitates transmission, such as of programminginstructions and application data, between processor 1802, input/output(I/O) device interface 1806, storage 1804, network interface 1808, andsystem memory 1812. I/O device interface 1806 is configured to receiveinput data from user I/O devices. These I/O devices include, withoutlimitation, sensor(s) 1820 (e.g., one or more cameras, locationsensor(s), etc.), input device(s) 1822 (e.g., a keyboard, stylus,microphone, etc.), and/or a display device 1824. Display device 1824generally represents any technically-feasible means for generating animage for display. For example, display device 1824 may be a liquidcrystal display (LCD) display, organic light-emitting diode (OLED)display, or a digital light processing (DLP) display. Camera 1820acquires images via a lens and converts the images into digital form.The images acquired by the camera 1820 may be stored in storage 1804and/or system memory 1812. An acquired image may be displayed on thedisplay device 1824, either alone or in conjunction with one or moreother acquired images, graphical overlays, and/or other data.

Location sensor(s) 1820 enable client device 404 to determine thephysical location and/or orientation of client device 404. In someembodiments, location sensor(s) 1820 may include a network-based sensorthat communicates with data intake and query system 108 via one or morenetwork(s) 420, which may be part of a production-monitoring network. Insome embodiments, location sensor(s) 1820 may include a network-basedsensor that communicates with one or more data intake and query systems108 via a local area network and/or a wide area network. In variousembodiments, the production-monitoring environment may include multipleobjects and/or multiple client devices 404, each of which maycommunicate with a data intake and query system 108 and each of which iscapable of identifying one or more objects based on identifier tags,geofences, and/or any other object-identification technique disclosedherein. Microphone 1822 acquires audio signals for storage and analysis.Additional examples of user I/O devices 1822 (not explicitly shown) mayinclude one or more buttons, a keyboard, and a mouse or other pointingdevice. I/O device interface 1806 may also include an audio output unitconfigured to generate an electrical audio output signal, and theadditional user I/O devices may further include a speaker configured togenerate an acoustic output in response to the electrical audio outputsignal.

4.0 Scaled Authentication of Endpoint Devices

As described above, one problem with conventional approaches formanaging endpoint devices that access machines in a particular operatingenvironment is that registering a large number of such devices usingregistration applications is cumbersome for both individual users ofendpoint devices, as well as administrators of the networked computingenvironment. As a result, system administrators do not distributeapplications to register large quantities of endpoint devices. Suchpractices clients from using such applications, or even from using theseparticular operating environments.

Accordingly, in various embodiments disclosed herein, an endpoint deviceauthentication system is implemented to distribute information necessaryto enable large quantities of endpoint devices to directly register withmultiple devices within the networked computing environment. An endpointdevice manager generates a resource file that identifies multipledevices operating within the networked computer environment, andincludes various encryption keys. A given endpoint device uses theresource file to select a particular device with which to directlyregister. In particular, the endpoint device employs the encryption keysprovided in the resource file in order to encrypt and sign a packetcontaining user credentials. The endpoint device then sends encryptedand signed user credentials to the selected device, via an end-to-endencryption (E2EE) of communications between the endpoint application andthe selected device. These techniques are described below in furtherdetail in conjunction with FIGS. 19-24 .

4.1 Endpoint Device Authentication System

FIG. 19 is a block diagram of another example networked computerenvironment 100 of FIG. 1 , in accordance with example embodiments. Asshown, the networked computer environment 1900 may include, withoutlimitation, an endpoint device 1910 that includes endpoint managementapplication 1912, destination devices 1940 that include remoteapplications 1942 and data intake and query systems (DIQS) 1944, and anendpoint device manager 1950 that includes a resource file 1952,identifier files 1954, an application list 1956, and an endpoint devicemanager (EDM) key pair 1958.

Endpoint device 1910 functions substantially the same as client device102, 404 described in conjunction with FIGS. 1 and 4 , except as furtherdescribed herein. Examples of endpoint device 1910 may include, withoutlimitation, a smartphone, a tablet computer, a handheld computer, awearable device, a virtual reality (VR) console, an augmented reality(AR) console, a laptop computer, a desktop computer, a server, aportable media player, a gaming device, and so forth. In someembodiments, endpoint device 1910 executes one or more applications thatdisplay, compute, or generate data based on data received from remoteapplication 1942. For example, endpoint device 1910 could execute anaugmented reality or virtual reality (AR/VR) application, which displaysperformance metrics and/or other data provided by remote application1942 and/or DIQS 1944. In some embodiments, endpoint device 1910 mayinclude, without limitation, smartphones, tablet computers, handheldcomputers, wearable devices, laptop computers, desktop computers,servers, portable media players, gaming devices, an Apple TV® devices,and so forth.

In some embodiments, remote application 1942 may send messages toendpoint device 19410 in accordance with push notification service 1854,such as the APPLE® Push Notification service (APN), or GOOGLE® CloudMessaging (GCM). For example, endpoint device 1910 could receive variousschemas, dashboards, playbooks, runbooks, cards, and/or visualizationsthat include real-time data associated with a particular machine. Theschemas, dashboards, cards, and/or visualizations could then be overlaidwith the real-world component by an AR/VR application.

Credential data packet 1915 is a formatted unit of data carried througha network via tunnel bridge 1920. Credential data packet 1915 includesuser credential data relating to a particular user and/or endpointdevice 1910 accessing a specific remote application 1942. For example,endpoint management application 1912 could generate a first credentialdata packet 1915(1) that includes user credentials applicable to remoteapplication 1942(1), and could generate a second credential data packet1915(2) that includes user credentials applicable to remote application1942(2).

Device key pair 1916 is a public/private key pair associated withendpoint device 1910. In various embodiments, endpoint device 1910 mayencrypt credential data packet 1915 using device key pair 1916 togenerate encrypted credential data packet 1918, where encryptedcredential data 1918 is transmitted over tunnel bridge 1920 to variousdestination devices. In such instances, endpoint device 1910 may send apublic device key included in device key pair 1916 in order to enablespecific devices to decrypt data packets that were encrypted by endpointdevice 1910, including encrypted credential data packet 1918.

Tunnel bridge 1920 is a device that establishes communications with oneor more devices included in the networked computer environment 1900. Forexample, tunnel bridge 1920 could establish a Web Socket connection1922(1) to endpoint device in a first network and a separate Web Socketconnection 1922(2) to the destination device 1940 (e.g., destinationdevice 1940(1)) that implements one or more portions of the data intakeand query system 108 (e.g., DIQS 1944(1)) in a second network. In someembodiments, tunnel bridge 1920 may be a trusted service thatestablishes trust with one or more devices in order to establish secureWeb Socket connections 1922 with such devices. In some embodiments,tunnel bridge 1920 may perform authentication operations with otherdevices in order to establish trust, and may then establish securecommunications channels with the other devices, where tunnel bridge 1920and/or other devices and transmit secure communications using the securecommunications channels.

In some embodiments, tunnel bridge 1920 enables E2EE communicationsbetween two separate devices by forwarding one or more encrypted datapackets without fully decrypting the encrypted data packet. For example,tunnel bridge 1920 could receive an encrypted data packet that wasencrypted and signed using multiple encryption keys. Trusted tunnelbridge 1920 may determine whether the encrypted data packet was validlysigned with one of the encryption keys without decrypting the encrypteddata packet.

WebSocket connections 1922 (e.g., 1922(1) and 1922(2)) are full-duplexcommunications channels between tunnel bridge 1920 and other devices1910, 1940. In various embodiments, tunnel bridge 1920 may establishWebSocket connections 1922(1)-1922(2) using WebSocket handshaketechniques with a particular device. In some embodiments, the WebSocketconnection enables two-way communications between tunnel bridge 1920 anda device without opening a port in a firewall. For example, as shown,Web Socket connection 1922(2) between tunnel bridge 1920 and the remoteapplication 1942(1) provides a persistent, always-open, asynchronoussocket for bidirectional communications through firewall 1930. In someembodiments, the Web Socket connection can be a secure connection thatfacilitates encrypted communication. For example, tunnel bridge 1920could establish secure Web Socket connection 1922(2) to remoteapplication 1942(1) in order to transmit encrypted credential datapackets 1918 and/or other encrypted data packets directly to thedestination device 1940(1). In other embodiments, tunnel bridge 1920,acting as trusted tunnel bridge may establish other secure connections,such as RPC connections (e.g., one or more gRPC channels) to endpointdevice 1910 and/or destination device 1940.

Firewall 1930 is present between one or more endpoint devices 1910 otherdevices, including the tunnel bridge 1920, destination device 1940,and/or endpoint device manager 1950, which, in some embodiments, may bewithin different networks. In some embodiments, the tunnel bridge 1920may be included in a first network, while firewall 1930 and/ordestination devices 1940 may be included in a second network.

Destination device 1940 is a device that receives data packets (e.g.,encrypted credential data packet 1918) from endpoint device 1910 viatunnel bridge 1920. In various embodiments, multiple destination devices1940 (e.g., 1940(1), 1940(2), 1940(3)) may execute distinct remoteapplications 1942 (e.g., 1942(1), 1942(2), 1940(3)) and/or data intakeand query system instances 1944 (e.g., 1944(1), 1944(2), 1944(3)). Insome embodiments, endpoint device 1910 may separately completeregistration with remote applications 1942(1), 1942(2), 1942(3). In suchinstances, endpoint device 1910 may, upon registration, maintainmultiple active sessions with the respective remote applications1942(1), 1942(2), 1942(3).

Remote application 1942 may be an application executed by one or morecomputing resources within destination device 1940 and/or othercomputing resources within on-premises environment 1860. In someembodiments, remote application 1942 may be an application thatgenerates, computes, and/or collects data included in on-premisesenvironment 1860 and/or cloud environment 1850. In various embodiments,remote application 1942 may be an application that implements DIQS 1944that retrieves data by querying a field-searchable data store includedin the network. For example, remote application 1942 may be an instanceof the SPLUNK® ENTERPRISE system, an application within the cloud-basedenvironment, such as SPLUNK CLOUD™, an application for a self-servicecloud, or another deployment of an application that implements theSplunk processing language (SPL).

For example, remote application 1942(2) could implement the DIQS 1944(2)in order to extract one or more fields of data from a field-searchabledata store. In such instances, remote application 1942(2) could retrievethe extracted fields as portions of a text string, such as: 2018-07-2800:07:01,781 INFO [async_client] [async_client] [async_post_request][16574] POST headers={‘Authorization’: u'SplunkM4q2ROpGJCpng81Wi8JJsyV1yGI xrIhI_1UsIUxvVk3m_I12q6Q83Drf7P68v8H68kvQ7RHgA2eJz5o-LSnw4dO0ywEsTodOD0jdWDNGhj9zFGNRuCiBWovEyXnO25X3_aNjSwyO_rE_ik7′,Content-Type: application/json’},uri=https://127.0.0.1:8089/servicesNS/nobody/spacebridge-app/storage/collections/data/alert_recipient_devices,params=None, data={“py/object”: “space bridgeapp.data.alert_data.RecipientDevice”, “timestamp”: “1532736421.201776”, “alert_id”: “5b5bb3a580db6133e603d 33f”, “device_id”:“y+DJALQwOXERwVDBzUe340ya1MINAId0IPzRBdtt91U=” } host=ip-10-0-240-141source=/opt/splunk/var/log/splunk/spacebridge-app.log sourcetype=spacebridge-app-too_small.

In some embodiments, remote application 1942(2) may, upon registeringendpoint device 1910, send the extracted fields to endpoint device 1910via tunnel bridge 1920.

Application key pair 1943 is a public/private key pair associated withremote 1942. For example, application key pair 1943(1) could bespecifically associated with remote application 1942(1); in a similarmanner, application key pair 1943(2) (not shown) could be specificallyassociated with remote application 1942(2). In various embodiments,remote application 1942(1) may encrypt data using a private applicationkey included in application key pair 1943(1). In such instances, remoteapplication 1942(1) may send to recipient devices a public applicationkey that is included in application key pair 1943(1). In such instances,recipient devices could decrypt data packets that were encrypted byremote application 1942(1) using the corresponding private applicationkey. In some embodiments, devices that receive the public applicationkey may encrypt data packets using the public application key. In suchinstances, public application 1942(1) may successfully validate thepacket by using the private application key to decrypt the data packet.

For example, endpoint management application 1912 could generateencrypted credential data packet 1918 by encrypting credential datapacket 1915 with a public application key included in application keypair 1943(1). Remote application 1942(1) may then validate encryptedcredential data packet 1918 using the private application key includedin application key pair 1943(1).

Endpoint device manager 1950 includes one or more devices that managethe deployment of information to manage endpoint devices 1910 thatattempt access to networked computer environment 1900. In variousembodiments, endpoint device manager 1950 may employ various deploymenttechniques in order to manage various endpoint devices 1910 and/ormanage registration of endpoint devices 1910 with computing resources,such as destination devices 140. In such instances, endpoint devicemanager 1950 could send to endpoint devices 1910 information associatedwith one or more remote applications 1942 that enables endpoint devices1910 to securely communication with the one or more remote applications1942. For example, endpoint device manager 1950 could distribute aresource file 1952 that has information associated with remoteapplications 1942(1), 1942(2), 1942(3). In such instances, endpointdevice 1910 could extract information included in resource file 1952 inorder to directly register endpoint device 1910 with one or morespecific remote applications 1942(1), 1942(2), 1942(3) via one or moresecure data packets.

Resource file 1952 includes one or more encryption keys, as well as dataassociated with one or more remote applications 1942. In variousembodiments, resource file 1952 may include endpoint device manager keypair 1958 that is provided by an endpoint device manager service. Invarious embodiments, resource file 1952 may include the contents ofapplication list 1956. In some embodiments, resource file 1952 mayinclude contents of one or more identifier files 1954.

Identifier files 1954 are separate files (e.g., identifier file 1954(1),1954(2)) that are respectively associated with a specific remoteapplication 1942(1). For example, identifier file 1954(1) may includeinformation associated with remote application 1942(1), such as the nameof remote application 1942(1) (e.g., “Sales Data_Main”), as well as thepublic application key associated with remote application 1942(1). Insome embodiments, endpoint device manager may generate a resource file1952 by combining contents of multiple identifier files 1954. Forexample, endpoint device manager 1950 could concatenate the contents ofthe identifier files 1954(1), 1954(2), 1954(3) when generating resourcefile 1952. In such instances, endpoint management application 1912 couldextract information from resource file 1952 to register with any ofremote applications 1942(1), 1942(2), 1942(3), in any order.

Application list 1956 is a list that identifies remote applications(e.g., remote applications 1942(1), 1942(2), etc.) are active withincomputer environment 1900. For example, as shown, application list 1956identifies remote applications 1942(1), 1942(2), 1942(3) as activeapplications. In some embodiments, endpoint management application 1912may refer to a list of active remote applications included in resourcefile 1952 in order to identify a group of candidate remote applicationswith which endpoint device 1910 can register. For example, resource file1952 could include the contents of application list 1956, which listsremote applications 1942(1), 1942(2), and 1942(3) as activeapplications. In such instances, endpoint management application 1912could provide an interface to the user of endpoint device 1910, wherethe interface lists the candidate remote applications.

Endpoint device manager (EDM) key pair 1958 is a public/private key pairassociated with an endpoint device management service. In variousembodiments, an endpoint device management service may enable endpointdevice manager 1950 to identify and manage endpoint devices 1910 withincomputer environment 1900. For example, the endpoint device managementservice may configure policies and distribute those policies to endpointdevices 1910 via endpoint manager 1950. In some embodiments, theendpoint device management service may distribute EDM key pair 1958 todevices within 1900, including, but not limited to, endpoint devicemanager 1950, tunnel bridge 1920, and/or destination devices 1940. Insuch instances, one or more devices 1920, 1940, 1950 may use EDM keypair 1958 to authenticate messages sent by endpoint device 1910 and/orenforce policies implemented by the endpoint device management service.

In operation, endpoint device manager 1950 generates resource file 1952,which includes contents from one or more of identifier file 1954,application list 1956, and/or EDM key pair 1958. Endpoint device manager1950 sends the generated resource file 1952 to endpoint device 1910.Endpoint management application 1912 uses content included in resourcefile 1952 to select a specific remote application (e.g., remoteapplication 1942(1)) to access. Endpoint management application 1912then generates credential data packet 1915 that includes usercredentials that are applicable to the specific remote application1942(1). Endpoint management application 1912 encrypts credential datapacket using one or more encryption keys, including one or moreencryption keys included in the resource file 1952. Once endpointmanagement application 1912 transmits encrypted credential data packet1918, tunnel bridge 1920 and/or remote application 1942(1) may attemptauthentication and/or decryption of encrypted credential data packet1918 using the applicable encryption keys (e.g., using a private remoteapplication key to decrypt encrypted credential data packet 1918 thatwas encrypted with a public remote application key).

When generating the encrypted credential data packet 1918 in accordancewith an E2EE encryption technique, endpoint management application 1912may implement one or more public/private key pair systems. For example,endpoint management application 1912 can encrypt the credential datapacket 1915 using multiple private keys, including a private device keythat is included in device key pair 1916; additionally, endpointmanagement application 1912 could use a private EDM key that is includedin EDM key pair 1958. In another example, endpoint managementapplication 1912 could encrypt credential data packet 1915 using apublic key associated with a particular remote application (e.g., apublic remote application key included in application key pair 1943(1)).In such instances, tunnel bridge 1920 and/or remote application 1942could authenticate encrypted credential data packet 1918 upon receiptusing the corresponding private and/or public keys.

In various embodiments, endpoint device 1910 may encrypt data usingeither EDM key included in EDM key pair 1958. In such instances, otherdevices within computer environment 1900 may use a corresponding keyfrom EDM key pair 1958 to decrypt data packets that were encrypted byendpoint device 1910. For example, endpoint management application 1912could generate encrypted credential data packet 1918 using one or more aprivate EDM encryption key included in EDM key pair 1958. Tunnel bridge1920 could separately receive EDM key pair from 1958 and could use thecorresponding public EDM key from EDM key pair 1958 in order todetermine that the EDM key pair is valid. In some embodiments, tunnelbridge 1920 may respond to receiving encrypted credential data packet1918 by sending a separate EDM key request to remote application 1942 toconfirm that EDM key pair 1958 is valid. For example, tunnel bridge 1920may send a secret message to remote application 1942(1). When remoteapplication 1942(1) confirms that the secret message matches EDM keypair 1958, tunnel bridge 1920 could then send encrypted credential datapacket 1918 to remote application 1942(1).

4.2 Managed Endpoint Deployment

FIG. 20A is an example user interface for configuring identifier files1954 of FIG. 19 , in accordance with example embodiments. Interface2000, as generated by endpoint device manager 1950, includes deploymentconfiguration window 2001, device registration window 2020, and resourcefile generation window 2024. Deployment configuration window 2001includes multiple values associated with a specific remote application1942, including deployment identifier (ID) 2002, remote application ID2004, and encryption keys, including signing public application key2006, encryption public application key 2008, and EDM public key 2010.

In operation, a user of endpoint device manager 1950, such as a systemadministrator, may review the deployment information provided indeployment configuration window 2001, which corresponds to informationthat is to be included in the contents of identifier file 1954. In someembodiments, a system administrator may submit an input to generateidentifier file 1954. In various embodiments, identifier file 1954 mayalso include one or more encryption keys 2006-2010, as well as remoteapplication ID 2004. For example, endpoint device manager 1950 couldreceive a user input when the user selects the “create applicationidentifier file” icon 2022 within device registration window 2020. Insuch instances, endpoint device manager 1950 may respond to the userinput by generating an identifier file 1954(3) that includes the one ormore encryption keys 2006-2010 and remote application ID 2004 associatedwith remote application 1942(3).

FIG. 20B is an example user interface for facilitating the generation ofa resource file 1952 of FIG. 19 , in accordance with exampleembodiments. Interface 2030 includes device registration window 2020 andresource file generation window 2024.

In operation, a user of endpoint device manager 1950 selects multiplepreviously-generated identifier files 1954. Endpoint device manager 1950responds by combining the selected identifier files 1954 into a singleresource file 1952. In some embodiments, endpoint device manager 1950may, based on the selected identifier files, add contents fromapplication list 1956 into resource file 1952.

As shown, a user could select the “combine identifier files” icon 2036within resource file generation window 2024. Endpoint device manager1950 could respond to the user input by combining the listed identifierfiles 2032, 2034 into resource file 1952. For example, endpoint devicemanager 1950 may concatenate the contents of “EyefulSquirmEverett”identifier file 2032 after the contents of “BagelDonutChocloate”identifier file 2034. Endpoint device manager 1950 could also includethe portions of application list 1956 that identifies theEyefulSquirmEverett remote application and the BagelDonutChocloateremote application as active instances.

FIG. 20C is an example user interface that displays the contents of aresource file 1952 of FIG. 19 , in accordance with example embodiments.Interface 2040 includes deployment configuration window 2001, deviceregistration window 2020, resource file generation window 2024, andcomplete resource file 2042.

In various embodiments, endpoint device manager 1950 may distributeresource file 2042 to one or more endpoint devices 1910 in order toenable endpoint devices 1910 to directly register with one or moreremote applications 1942. For example, endpoint device manager 1950could send resource file 2042 to a group of endpoint devices thatincludes endpoint device 1910. In such embodiments, endpoint managementapplication 1912 may check for resource file 2042 during startup todetermine whether to register with one or more remote applications 1942.

FIG. 21 is an example user interface for deploying a resource file 2042of FIG. 20C, in accordance with example embodiments. Interface 2100, asgenerated by endpoint device manager 1950, includes a group distributionmenu 2110 that includes a managed endpoint device list 2112, and adistribution summary menu 2120 that includes a distributed endpointdevice users 2122.

Group distribution menu 2110 includes managed endpoint device list 2112,which lists one or more endpoint devices 1910 in networked computerenvironment 1900 that are managed by endpoint device manager 1950.Distribution summary menu 2120 includes distributed endpoint deviceusers 2122, which lists each user that is associated with a managedendpoint device 1910 that received resource filed 2042. In variousembodiments, endpoint device manager 1950 may generate a resource file2042 that includes one or more identifier files 2032, 2034 that arerespectively associated with specific remote applications. In suchinstances, a user may select a group of endpoint devices from managedendpoint device list 2112 in order to facilitate the selected group toregister with the specific remote applications.

For example, endpoint device manager 1950 could generate resource file2042 by combining identifier files 2032 and 2034. Once endpoint devicemanager 1950 generates resource file 2042, a system administrator couldselect, from managed endpoint device list 2112, a subset of managedendpoint devices 1910 (e.g., a group of tvOS devices) of intendedrecipients, where each endpoint device in the intended recipient subsetis to receive resource file 2042. Endpoint device manager 150 couldrespond to the selection of the subgroup by transmitting resource file2042 to the selected group of endpoint devices. In some embodiments,endpoint device manager 150 causes resource file 2042 to be distributedto the intended recipient subset via the managed endpoint deviceservice. In other embodiments, endpoint device manager 150 may transmitresource file 2042 to individual endpoint devices (e.g., endpoint device1910) without selecting an intended recipient subset.

4.3 Managed Endpoint Device Registration

FIG. 22 illustrates a call flow diagram 2200 showing interactionsbetween various components of the example networked computingenvironment 1900, in accordance with example embodiments. One or morecomponents of network computer environment 1900 may perform variousoperations to register endpoint device 1910 with a specific remoteapplication 1942(1), including generation of encrypted credential datapacket 1918 and secure transmission of encrypted credential data packet1918 via tunnel bridge 1920 to remote application 1942(1).

Endpoint device 1910 performs actions 2205 to create credential datapacket 1915. For example, endpoint device 1910 could access informationincluded in resource file 2042 in order to identify remote applications1942 as active applications with which endpoint device 1910 canregister. Endpoint device 1910 displays to the user a list of the remoteapplications 1942. Once a user selects a remote application with whichto register (e.g., remote application 1942(1), the user could providespecific user credentials, such as by inputting a user name andpassword, that could be used to access the selected remote application1942(1). Endpoint device 1910 performs one or more actions 2205 togenerate credential data packet 1915 that includes the provided usercredentials. In various embodiments, the payload of credential datapacket 1915 may include remote application ID 2004 that is associatedwith the selected remote application 1942(1), the user name, and/or thepassword.

Endpoint device 1910 performs actions 2210 to generate encryptedcredential data packet 2215. In various embodiments, endpoint device1910 may perform one or more actions 2210 to retrieve one or moreencryption keys from resource file 1952. Endpoint management application1912 may then use one or more of the retrieved keys to encrypt and/orsign credential data packet 1915, thereby generating encrypted datapacket 1918. In some embodiments, endpoint device 1910 may receive EDMkey pair 1958 from a managed endpoint device service; in such instances,endpoint management application 1912 may sign the encrypted credentialdata packet with the private EDM key. In some embodiments, endpointmanagement application 1912 may retrieve the public EDM key 2010 fromresource file 1952 and may sign the encrypted data packet with publicEDM key 2010.

For example, endpoint management application 1912 could use threeseparate keys to encrypt and/or sign credential data packet 1915.Endpoint management application 1912 could first encrypt credential datapacket 1915 with a private device key. Endpoint management application1912 could then sign the encrypted data packet with a signing publicremote application key 2006 included in resource file 2042, as well aswith the public EDM key 2010.

Endpoint device 1910 then sends the encrypted-and-signed credential datapacket 2215 to tunnel bridge 1920. In some embodiments, endpoint device1910 may send an additional message, such as a polling message, totunnel bridge 1920 in order to establish Websocket connections 1922between endpoint device 1910 and the selected remote application1942(1). Once a connection 1922(1) is established between endpointdevice 1910 and tunnel bridge 1920, endpoint device 1910 may sendencrypted credential data packet 2215 to tunnel bridge 1920 viaconnection 1922(1).

Tunnel bridge 1920 performs one or more actions 2220 to determinewhether the EDM key that was used to sign the encrypted credential datapacket 2215 is valid. In some embodiments, tunnel bridge 1920 mayreceive EDM key pair 1958 from a managed endpoint device service; insuch instances, tunnel bridge 1920 may use the received EDM keys inorder to determine whether the EDM key used by endpoint device 1910 tosign encrypted-and-signed credential data packet 2215 is valid. Whentunnel bridge 1920 accepts the signature for the private EDM key, tunnelbridge 1920 transmits the encrypted credential data packet 2225 toremote application 1942(1). Otherwise, tunnel bridge 1920 may drop theencrypted credential data packet and cause an error message to be sentto endpoint device 1910 specifying that the authorization request wasnot accepted.

In some embodiments, tunnel bridge 1920 may send a separate EDM keyrequest to remote application 1942 to confirm that EDM key pair 1958 isvalid. For example, tunnel bridge 1920 may send an EDM key message toremote application 1942(1). When remote application 1942(1) confirmsthat contents of the EDM key message match EDM key pair 1958, tunnelbridge 1920 could then send encrypted credential data packet 2225 toremote application 1942(1) confirming that the signature provided by theEDM key is valid.

In some embodiments, remote application 1942(1) may respond to receivingencrypted credential packet 2225 by sending a public key request 2230 totunnel bridge 1920. In such instances, remote application 1942(1) maysend public key request 2230 in order to receive the public device keycorresponding to the private key that endpoint device 1910 used toencrypt the encrypted credential data packet 2225. In such instances,tunnel bridge 1920 responds by sending public key response 2235 thatincludes the public device key included in device key pair 1916.

Remote application 1942(1) performs one or more actions 2240 to decryptthe encrypted credential data packet 2225 using one or more encryptionkeys. For example, remote application may use the private remoteapplication key included in application key pair 1943(1) to determinewhether the encrypted credential data packet was validly signed withsigning public remote application key 2006. In some embodiments, remoteapplication 1942(1) may use the public device key included in public keyresponse 2235. In such instances, remote application 1942(1) may decryptthe encrypted data packet 2225 using the received public device key.

In various embodiments, remote application 1942(1) may successfullyvalidate the signatures used to sign encrypted credential data packet2225, and/or decrypt the encrypted credential data packet 2225. In suchinstances, remote application 1942(1) may retrieve contents from thepayload of encrypted credential data packet 2225. Otherwise, in someembodiments, remote application 1942(1) may drop the encryptedcredential data packet 2225 and cause an error message to be sent toendpoint device 1910 specifying that the authentication request faileddue to the encrypted credential data packet 2225 being dropped.

Remote application 1942(1) and/or data intake and query system 1944(1)included in destination device 1940(1) attempts to, based on the usercredentials included in encrypted credential data packet 2225,authenticate and authorize the user of endpoint device 1910. Forexample, upon decrypting the encrypted credential data packet 2225,remote application 1942(1) could perform actions 2245 to create acredential token that includes the user credential information includedin the payload of encrypted credential data packet 2225. Once credentialtoken 2250 is created, remote application 1942(1) could send thecredential token 2250 to data intake and query system 1944(1). Uponreceiving credential token 2250, DIQS 1944(1) attempts to authorize theuser to access remote application 1942(1). In some embodiments, DIQS1944(1) may send to a data source an authorization query that containsthe user credential information. DIQS 1944(1) may subsequently receive aresponse from the data source.

When DIQS 1944(1) analyzes the response from the data source anddetermines that the user is authorized to access remote application1942(1), DIQS 1944(1) transmits an authorization message 2255 to remoteapplication 1942(1). Remote application 1942(1) then transmits anauthorization message 2260 to tunnel bridge 1920, which in turn,transmits authorization message 2265 to endpoint device 1910. In someembodiments, when DIQS 1944(1) determines that the user is notauthorized to access remote application 1942(1), DIQS 1944(1) maytransmit an error message to remote application 1942(1) that specifiesthat the user credentials failed. In such instances, remote application1942(1) may transmit an error message to endpoint device 1910 via tunnelbridge 1920.

FIG. 23 is an example user interface for selecting a remote application1942 of FIG. 19 for authentication of a managed endpoint device 1910, inaccordance with example embodiments. Interface 2300 provided by endpointdevice 2310 includes managed endpoint device and two candidate remoteapplications 2322 and 2324.

In operation, endpoint management application 1912 analyzes resourcefile 1952 in order to retrieve a list of active and/or available remoteapplications with which endpoint device 1910 can register. For example,endpoint management application 1912 could access the contents ofresource file 1952, which identifies remote applications “SalesData_Main” and “EyefulSquirmEverett” as active remote applications 1942.Endpoint management application 1912 could then provide interface 2300that includes icons for each of the candidate remote applications 2322and 2324. Endpoint management application 1912 could respond to a userselection of a particular candidate remote application (e.g., remoteapplication 2324) by prompting the user to provide applicable usercredentials associated with the selected remote application 2324.

FIG. 24 sets for a flow diagram of method steps for authenticating amanaged endpoint device, in accordance with example embodiments.Although the method steps are described in conjunction with FIGS. 1-23 ,persons of ordinary skill in the art will understand that any systemconfigured to perform this method and/or methods described herein, inany order, and in any combination not logically contradicted, is withinthe scope of the present invention.

As shown, method 2400 begins at step 2401, where endpoint device 1910receives resource file 1952. In various embodiments, endpoint managementapplication 1912 included in endpoint device 1910 may receive resourcefile 1952 from endpoint device manager 1950. In various embodiments,endpoint management application 1912 may check at startup to see whetherresource file 1952 was received from endpoint device manager 1950. Forexample, endpoint device manager 1950 could execute a managed endpointdevice deployment technique to generate and transmit resource file 1952to a group of one or more endpoint devices, where endpoint device 1910is included in the group.

Resource file 1952 includes one or more encryption keys, as well as dataassociated with one or more remote applications 1942 operating in one ormore destination devices 1940. In various embodiments, resource file1952 may include one or more EDM keys in EDM key pair 1958. In someembodiments, resource file 1952 may include information from applicationlist 1956, which identifies active remote applications (e.g., remoteapplications 1942(1), 1942(2), etc.). In some embodiments, resource file1952 may include contents of an identifier file (e.g., identifier file1954(1)) that is associated with a given remote application 1942(1). Forexample, resource file 1952 could include, for remote application1942(1), a set of information that includes a public remote applicationkey associated with remote application 1942(1), and the name of remoteapplication 1942(1) (e.g., “EyefulSquirmEverett”). In some embodiments,resource file 1952 may include the contents of multiple identifier files1954, each identifier file 1954 respectively associated with a specificremote application 1942. In such instances, endpoint device manager 1950may generate resource file 1952 by concatenating multiple identifierfiles 1954.

At step 2403, endpoint device 1910 selects, based on the resource file,a target remote application with which to register. In variousembodiments, endpoint management application 1912 may access, fromresource file 1952, a list of active remote applications. Endpointmanagement application 1912 may refer to the list of active remoteapplications in order to identify a group of remote applications withwhich endpoint device 1910 can register. For example, resource file 1952could include the contents of application list 1956 that lists remoteapplications 1942(1), 1942(2), and 1942(3) as active applications. Insome embodiments, endpoint management application 1912 may provideinterface 2300 to the user of endpoint device 1910, where interface 2300includes lists the active remote applications. In such instances,endpoint management application 1912 may receive a user input (e.g.,selection of remote application 2322 that corresponds to remoteapplication 1942(1)) and, based on the user input, select the targetremote application 1942(1) from the group of active remote applications1942.

At step 2405, endpoint device 1910 generates a credential data packet.In various embodiments, upon selecting target remote application1942(1), endpoint management application 1912 may generate credentialdata packet 1915 based on contents of resource file 1952 that wasreceived at step 2401. For example, endpoint management application 1912could prompt a user to enter credentials associated with target remoteapplication 1942(1), such as user name and password, in order for targetremote application 1942(1) to authorize the user. In such instances,endpoint management application 1912 could generate credential datapacket 1915 that includes the user credentials in the payload.

At step 2407, endpoint device 1910, based on the resource file, encryptsthe credential data packet. In various embodiments, endpoint managementapplication 1912 may encrypt and/or sign credential data packet 1915using one or more encryption keys. For example, endpoint managementapplication 1912 could encrypt credential data packet 1915 using one ormore distinct encryption keys. Such keys could include a public keyassociated with target remote application 1942(1) and/or a privatedevice key associated with endpoint device 1910. Endpoint managementapplication 1912 may sign the encrypted credential data packet withprivate EDM key included in EDM key pair 1958 that is included inresource file 1952. In some embodiments, endpoint management application1912 may encrypt credential data packet 1915 with all three encryptionkeys.

At step 2409, endpoint device 1910 sends the encrypted credential datapacket towards the target remote application. In various embodiments,endpoint device 1910 may send an authorization request to the targetremote application 1942(1). In some embodiments, endpoint device 1910may include the encrypted credential data packet 1918 in theauthorization request. Endpoint device 1910 sends the authorizationrequest to the target remote application 1942(1) via tunnel bridge 1920.In some embodiments, endpoint device 1910 may periodically poll tunnelbridge 1920 in order to confirm that tunnel bridge 1920 receivedencrypted credential data packet 1918 and/or forwarded encryptedcredential data packet 1918 to target remote application 1942(1).

At step 2411, endpoint device 1910 sends subsequent packets to thetarget remote application. In various embodiments, endpoint device 1910may receive an authorization message originating from destination device1940(1) upon target remote application 1942(1) and/or DIQS 1944(1)authenticating endpoint device 1910 and determining that the user isauthorized to access target remote application 1942(1). Upon receivingan authorization message from the target remote application 1942(1),endpoint device 1910 sends subsequent packages to target remoteapplication 1942(1). For example, endpoint device 1910 could send one ormore data queries as encrypted messages to target remote application1942(1) in order to retrieve sets of data values via DIQS 1944(1).

In sum, an endpoint management application included in an endpointdevice securely connects to remote applications using trustedcommunications channels in order to directly register with one or moreremote applications. Before connecting to a destination device thatincludes a remote application, the endpoint device receives a resourcefile that contains information associated with one or more remoteapplications, as well as encryption keys associated with the one or moreremote applications. The endpoint management application selects aparticular remote application and retrieves, from the resource file, thecorresponding remote application key. The endpoint managementapplication also retrieves, from the resource file, an endpoint devicemanagement (EDM) key. The endpoint management application generates acredential data packet that includes various user credentials associatedwith the endpoint device and/or a user of the endpoint device. Thecredential data packet encrypted with one or more encryption keys and issigned with the EDM key.

The endpoint device sends the encrypted-and-signed credential datapacket to the selected remote application via a trusted communicationschannel. In some embodiments, a tunnel bridge may authenticate thesignature provided by the EDM key before transmitting the encryptedcredential data packet to the remote application. Upon receiving theencrypted credential data packet, the selected remote applicationauthenticates the encrypted credential data packet by validating anddecrypting the encrypted credential data packet. Upon authenticating thecredential data packet, the remote application authenticates the user bytransmitting an authorization packet that contains the user credentialsvia the trusted communications channel. The endpoint device may thensecurely transmit other packets to the remote application via thetrusted communications channel.

At least one technological advantage of the disclosed techniquesrelative to prior techniques is that individual users may, withoutrequiring intervention by an intermediate manager, directly register anendpoint device in order to access a remote application. Consequently,by eliminating intermediary systems in device authentication techniques,the disclosed techniques that provide automated authentication andauthorization thus enable devices to securely register and authenticatelarge numbers of devices when accessing devices within the networkedcomputing environment. Further, by enabling an endpoint device to signuser credentials using a provided endpoint device management key, anendpoint device manager can effectively cause endpoint devices to adhereto policies provided by the endpoint device manager.

1. In various embodiments, a computer-implemented method comprisesgenerating, based on a resource file stored at an endpoint device, acredential data packet for authenticating with a first applicationexecuting in a first network, where the resource file includes a set ofencryption keys associated with a plurality of applications includingthe first application, and where the credential data packet is encryptedwith a device key signed by the endpoint device, and the credential datapacket is signed by an endpoint device management (EDM) key extractedfrom the set of encryptions keys included in the resource file, sending,by the endpoint device, the credential data packet to the firstapplication via a trusted communication channel, and receiving, by theendpoint device and in response to the credential data packet, anauthorization packet from the first application via the trustedcommunication channel.

2. The computer-implemented method of clause 1, further comprisingreceiving, by the endpoint device from an endpoint device manager, theresource file, wherein the endpoint device manager generates the EDMkey.

3. The computer-implemented method of clause 1 or 2, further comprisingestablishing the trusted communications channel via a trusted tunnelbridge, where sending the credential data packet to the firstapplication comprises sending the credential data packet to the trustedtunnel bridge, and where the trusted tunnel bridge determines that theEDM key is validly signed.

4. The computer-implemented method of any of clauses 1-3, furthercomprising identifying, based on a list of the plurality of applicationsincluded in the resource file, the plurality of applications ascandidate applications to which the endpoint device can form one or moreconnections, and selecting the first application from the list of theplurality of applications.

5. The computer-implemented method of any of clauses 1-4, where theresource file includes, for each application included in the pluralityof applications, a distinct public key signed by the application.

6. The computer-implemented method of any of clauses 1-5, where theauthorization packet includes a credential token generated by adestination device, wherein the first application executes on thedestination device.

7. The computer-implemented method of any of clauses 1-6, where theresource file includes a list of the plurality of applications.

8. The computer-implemented method of any of clauses 1-7, furthercomprising sending, by the endpoint device after receiving theauthorization packet, at least one packet to a destination device viathe trusted communications channel.

9. The computer-implemented method of any of clauses 1-8, where theresource file is generated by combining a plurality of identifier files,and each identifier file included in the plurality of identifier filesis associated with an application included in the plurality ofapplications.

10. The computer-implemented method of any of clauses 1-9, furthercomprising receiving, by the endpoint device, at least one usercredential via user input, wherein generating the credential data packetfurther comprises including the at least one user credential in thecredential data packet.

11. In various embodiments, one or more non-transitory computer-readablemedia include instructions that, when executed by one or moreprocessors, cause the one or more processors to perform the steps ofgenerating, based on a resource file stored at an endpoint device, acredential data packet for authenticating with a first applicationexecuting in a first network, wherein the resource file includes a setof encryption keys associated with a plurality of applications includingthe first application, and where the credential data packet is encryptedwith a device key signed by the endpoint device, and the credential datapacket is signed by an endpoint device management (EDM) key extractedfrom the set of encryptions keys included in the resource file, sending,by the endpoint device, the credential data packet to the firstapplication via a trusted communication channel, and receiving, by theendpoint device and in response to the credential data packet, anauthorization packet from the first application via the trustedcommunication channel.

12. The one or more non-transitory computer-readable media of clause 11,further including instructions that, when executed by the one or moreprocessors, cause the one or more processors to perform the step ofreceiving, by the endpoint device from an endpoint device manager, theresource file, wherein the endpoint device manager generates the EDMkey.

13. The one or more non-transitory computer-readable media of clause 11or 12, further including instructions that, when executed by the one ormore processors, cause the one or more processors to perform the step ofestablishing the trusted communications channel via a trusted tunnelbridge, wherein sending the credential data packet to the firstapplication comprises sending the credential data packet to the trustedtunnel bridge, and wherein the trusted tunnel bridge determines that theEDM key is validly signed.

14. The one or more non-transitory computer-readable media of any ofclauses 11-13, further including instructions that, when executed by theone or more processors, cause the one or more processors to perform thestep of identifying, based on a list of the plurality of applicationsincluded in the resource file, the plurality of applications ascandidate applications to which the endpoint device can form one or moreconnections, and selecting the first application from the list of theplurality of applications.

15. The one or more non-transitory computer-readable media of any ofclauses 11-14, where the resource file includes, for each applicationincluded in the plurality of applications, a distinct public key signedby the application.

16. The one or more non-transitory computer-readable media of any ofclauses 11-15, where the authorization packet includes a credentialtoken generated by a destination device, where the first applicationexecutes on the destination device.

17. The one or more non-transitory computer-readable media of any ofclauses 11-16, wherein the resource file includes a list of theplurality of applications.

18. The one or more non-transitory computer-readable media of any ofclauses 11-17, further including instructions that, when executed by theone or more processors, cause the one or more processors to perform thestep of sending, by the endpoint device after receiving theauthorization packet, at least one packet to a destination device viathe trusted communications channel.

19. The one or more non-transitory computer-readable media of any ofclauses 11-18, where the resource file is generated by combining aplurality of identifier files, and each identifier file included in theplurality of identifier files is associated with an application includedin the plurality of applications.

20. The one or more non-transitory computer-readable media of any ofclauses 11-19, further including instructions that, when executed by theone or more processors, cause the one or more processors to perform thestep of receiving, by the endpoint device, at least one user credentialvia user input, wherein generating the credential data packet furthercomprises including the at least one user credential in the credentialdata packet.

21. In various embodiments, a computing device comprises a memory thatincludes an endpoint management application, and a processor that iscoupled to the memory and, when executing the endpoint managementapplication, performs the steps of generating, based on a resource filestored at an endpoint device, a credential data packet forauthenticating with a first application executing in a first network,wherein the resource file includes a set of encryption keys associatedwith a plurality of applications including the first application, andwhere the credential data packet is encrypted with a device key signedby the endpoint device, and the credential data packet is signed by anendpoint device management (EDM) key extracted from the set ofencryptions keys included in the resource file, sending, by the endpointdevice, the credential data packet to the first application via atrusted communication channel, and receiving, by the endpoint device andin response to the credential data packet, an authorization packet fromthe first application via the trusted communication channel.

22. The computing device of clause 21, where the processor furtherexecutes the endpoint management application by receiving, by theendpoint device from an endpoint device manager, the resource file,wherein the endpoint device manager generates the EDM key.

23. The computing device of clause 21 or 22, where the processor furtherexecutes the endpoint management application by establishing the trustedcommunications channel via a trusted tunnel bridge, wherein sending thecredential data packet to the first application comprises sending thecredential data packet to the trusted tunnel bridge, and wherein thetrusted tunnel bridge determines that the EDM key is validly signed.

24. The computing device of any of clauses 21-23, where the processorfurther executes the endpoint management application by identifying,based on a list of the plurality of applications included in theresource file, the plurality of applications as candidate applicationsto which the endpoint device can form one or more connections, andselecting the first application from the list of the plurality ofapplications.

25. The computing device of any of clauses 21-24, where the resourcefile includes, for each application included in the plurality ofapplications, a distinct public key signed by the application.

26. The computing device of any of clauses 21-25, where theauthorization packet includes a credential token generated by adestination device, wherein the first application executes on thedestination device.

27. The computing device of any of clauses 21-26, where the resourcefile includes a list of the plurality of applications.

28. The computing device of any of clauses 21-27, where the processorfurther executes the endpoint management application by sending, by theendpoint device after receiving the authorization packet, at least onepacket to a destination device via the trusted communications channel.

29. The computing device of any of clauses 21-28, where the resourcefile is generated by combining a plurality of identifier files, and eachidentifier file included in the plurality of identifier files isassociated with an application included in the plurality ofapplications.

30. The computing device of any of clauses 21-29, where the processorfurther executes the endpoint management application by receiving, bythe endpoint device, at least one user credential via user input,wherein generating the credential data packet further comprisesincluding the at least one user credential in the credential datapacket.

Any and all combinations of any of the claim elements recited in any ofthe claims and/or any elements described in this application, in anyfashion, fall within the contemplated scope of the present invention andprotection.

The descriptions of the various embodiments have been presented forpurposes of illustration, but are not intended to be exhaustive orlimited to the embodiments disclosed. Many modifications and variationswill be apparent to those of ordinary skill in the art without departingfrom the scope and spirit of the described embodiments.

Aspects of the present embodiments may be embodied as a system, methodor computer program product. Accordingly, aspects of the presentdisclosure may take the form of an entirely hardware embodiment, anentirely software embodiment (including firmware, resident software,micro-code, etc.) or an embodiment combining software and hardwareaspects that may all generally be referred to herein as a “module” or“system.” In addition, any hardware and/or software technique, process,function, component, engine, module, or system described in the presentdisclosure may be implemented as a circuit or set of circuits.Furthermore, aspects of the present disclosure may take the form of acomputer program product embodied in one or more computer readablemedium(s) having computer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

Aspects of the present disclosure are described above with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, enable the implementation of the functions/acts specified inthe flowchart and/or block diagram block or blocks. Such processors maybe, without limitation, general purpose processors, special-purposeprocessors, application-specific processors, or field-programmable gatearrays.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowchart or block diagrams may represent one or more modules, segments,or portions of code, which each comprise one or more executableinstructions for implementing the specified logical function(s). Itshould also be noted that, in some alternative implementations, thefunctions noted in the block may occur out of the order noted in thefigures. For example, two blocks shown in succession may, in fact, beexecuted substantially concurrently, or the blocks may sometimes beexecuted in the reverse order, depending upon the functionalityinvolved. It will also be noted that each block of the block diagramsand/or flowchart illustration, and combinations of blocks in the blockdiagrams and/or flowchart illustration, can be implemented by specialpurpose hardware-based systems that perform the specified functions oracts, or combinations of special purpose hardware and computerinstructions.

While the preceding is directed to embodiments of the presentdisclosure, other and further embodiments of the disclosure may bedevised without departing from the basic scope thereof, and the scopethereof is determined by the claims that follow.

What is claimed is:
 1. A computer-implemented method comprising:generating, from a credential data packet and based on a resource filestored at an endpoint device, a signed and encrypted credential datapacket operable for authentication with a first application executing ina first network, wherein: the resource file includes a set of encryptionkeys associated with a plurality of applications including the firstapplication, the credential data packet is encrypted by the endpointdevice with a device key associated with the endpoint device to generatethe signed and encrypted credential data packet, and the encryptedcredential data packet is signed by an endpoint device management (EDM)key, extracted from the set of encryptions keys, to generate the signedand encrypted credential data packet; sending, by the endpoint device,the signed and encrypted credential data packet to the first applicationvia a trusted communication channel; and receiving, by the endpointdevice and in response to the signed and encrypted credential datapacket, an authorization packet from the first application via thetrusted communication channel upon successful authentication of thesigned and encrypted credential data packet.
 2. The computer-implementedmethod of claim 1, further comprising receiving, by the endpoint devicefrom an endpoint device manager, the resource file, wherein: theendpoint device manager generates the EDM key, and the endpoint devicemanager transmits the resource file to a group of devices that includesthe endpoint device.
 3. The computer-implemented method of claim 1,further comprising establishing the trusted communications channel via atrusted tunnel bridge, wherein: sending the signed and encryptedcredential data packet to the first application comprises sending thesigned and encrypted credential data packet to the trusted tunnelbridge, and the trusted tunnel bridge determines that signed andencrypted credential data packet is validly signed with the EDM key. 4.The computer-implemented method of claim 1, further comprising:identifying, based on a list of the plurality of applications includedin the resource file, one or more of the plurality of applications ascandidate applications to which the endpoint device can form one or moreconnections; and selecting the first application from the list of theplurality of applications.
 5. The computer-implemented method of claim1, wherein the resource file includes, for each application included inthe plurality of applications, a distinct public key signed by theapplication.
 6. The computer-implemented method of claim 1, wherein: theauthorization packet includes a credential token generated by adestination device, and the first application executes on thedestination device.
 7. The computer-implemented method of claim 1,wherein the resource file includes a list of the plurality ofapplications.
 8. The computer-implemented method of claim 1, furthercomprising: sending, by the endpoint device after receiving theauthorization packet, at least one packet to a destination device viathe trusted communications channel.
 9. The computer-implemented methodof claim 1, wherein: the resource file is generated by combining aplurality of identifier files, and each identifier file included in theplurality of identifier files is associated with an application includedin the plurality of applications.
 10. The computer-implemented method ofclaim 1, further comprising: receiving, by the endpoint device, at leastone user credential via user input, wherein generating the signed andencrypted credential data packet further comprises, prior to encryptingthe credential data packet, including the at least one user credentialin the credential data packet.
 11. One or more non-transitorycomputer-readable media including instructions that, when executed byone or more processors, cause the one or more processors to perform thesteps of: generating, from a credential data packet and based on aresource file stored at an endpoint device, a signed and encryptedcredential data packet operable for authentication with a firstapplication executing in a first network, wherein: the resource fileincludes a set of encryption keys associated with a plurality ofapplications including the first application, the credential data packetis encrypted by the endpoint device with a device key associated withthe endpoint device to generate the signed and encrypted credential datapacket, and the encrypted credential data packet is signed by anendpoint device management (EDM) key, extracted from the set ofencryptions keys, to generate the signed and encrypted credential datapacket; sending, by the endpoint device, the signed and encryptedcredential data packet to the first application via a trustedcommunication channel; and receiving, by the endpoint device and inresponse to the signed and encrypted credential data packet, anauthorization packet from the first application via the trustedcommunication channel upon successful authentication of the signed andencrypted credential data packet.
 12. The one or more non-transitorycomputer-readable media of claim 11, further including instructionsthat, when executed by the one or more processors, cause the one or moreprocessors to perform the step of receiving, by the endpoint device froman endpoint device manager, the resource file, wherein: the endpointdevice manager generates the EDM key, and the endpoint device managertransmits the resource file to a group of devices that includes theendpoint device.
 13. The one or more non-transitory computer-readablemedia of claim 11, further including instructions that, when executed bythe one or more processors, cause the one or more processors to performthe step of establishing the trusted communications channel via atrusted tunnel bridge, wherein: sending the signed and encryptedcredential data packet to the first application comprises sending thesigned and encrypted credential data packet to the trusted tunnelbridge, and the trusted tunnel bridge determines that signed andencrypted credential data packet is validly signed with the EDM key. 14.The one or more non-transitory computer-readable media of claim 11,further including instructions that, when executed by the one or moreprocessors, cause the one or more processors to perform the step of:identifying, based on a list of the plurality of applications includedin the resource file, one or more of the plurality of applications ascandidate applications to which the endpoint device can form one or moreconnections; and selecting the first application from the list of theplurality of applications.
 15. The one or more non-transitorycomputer-readable media of claim 11, wherein the resource file includes,for each application included in the plurality of applications, adistinct public key signed by the application.
 16. The one or morenon-transitory computer-readable media of claim 11, wherein: theauthorization packet includes a credential token generated by adestination device, and the first application executes on thedestination device.
 17. The one or more non-transitory computer-readablemedia of claim 11, wherein the resource file includes a list of theplurality of applications.
 18. The one or more non-transitorycomputer-readable media of claim 11, further including instructionsthat, when executed by the one or more processors, cause the one or moreprocessors to perform the step of: sending, by the endpoint device afterreceiving the authorization packet, at least one packet to a destinationdevice via the trusted communications channel.
 19. The one or morenon-transitory computer-readable media of claim 11, wherein: theresource file is generated by combining a plurality of identifier files,and each identifier file included in the plurality of identifier filesis associated with an application included in the plurality ofapplications.
 20. The one or more non-transitory computer-readable mediaof claim 11, further including instructions that, when executed by theone or more processors, cause the one or more processors to perform thestep of: receiving, by the endpoint device, at least one user credentialvia user input, wherein generating the signed and encrypted credentialdata packet further comprises, prior to encrypting the credential datapacket, including the at least one user credential in the credentialdata packet.
 21. A computing device, comprising: a memory that includesan endpoint management application; and a processor that is coupled tothe memory and, when executing the endpoint management application,performs the steps of: generating, from a credential data packet andbased on a resource file stored at an endpoint device, a signed andencrypted credential data packet operable for authentication with afirst application executing in a first network, wherein: the resourcefile includes a set of encryption keys associated with a plurality ofapplications including the first application, the credential data packetis encrypted by the endpoint device with a device key associated withthe endpoint device to generate the signed and encrypted credential datapacket, and the encrypted credential data packet is signed by anendpoint device management (EDM) key, extracted from the set ofencryptions keys, to generate the signed and encrypted credential datapacket; sending, by the endpoint device, the signed and encryptedcredential data packet to the first application via a trustedcommunication channel; and receiving, by the endpoint device and inresponse to the signed and encrypted credential data packet, anauthorization packet from the first application via the trustedcommunication channel upon successful authentication of the signed andencrypted credential data packet.
 22. The computing device of claim 21,wherein the processor further executes the endpoint managementapplication by receiving, by the endpoint device from an endpoint devicemanager, the resource file, wherein: the endpoint device managergenerates the EDM key, and the endpoint device manager transmits theresource file to a group of devices that includes the endpoint device.23. The computing device of claim 21, wherein the processor furtherexecutes the endpoint management application by establishing the trustedcommunications channel via a trusted tunnel bridge, wherein: sending thesigned and encrypted credential data packet to the first applicationcomprises sending the signed and encrypted credential data packet to thetrusted tunnel bridge, and the trusted tunnel bridge determines thatsigned and encrypted credential data packet is validly signed with theEDM key.
 24. The computing device of claim 21, wherein the processorfurther executes the endpoint management application by: identifying,based on a list of the plurality of applications included in theresource file, one or more of the plurality of applications as candidateapplications to which the endpoint device can form one or moreconnections; and selecting the first application from the list of theplurality of applications.
 25. The computing device of claim 21, whereinthe resource file includes, for each application included in theplurality of applications, a distinct public key signed by theapplication.
 26. The computing device of claim 21, wherein: theauthorization packet includes a credential token generated by adestination device, and the first application executes on thedestination device.
 27. The computing device of claim 21, wherein theresource file includes a list of the plurality of applications.
 28. Thecomputing device of claim 21, wherein the processor further executes theendpoint management application by: sending, by the endpoint deviceafter receiving the authorization packet, at least one packet to adestination device via the trusted communications channel.
 29. Thecomputing device of claim 21, wherein: the resource file is generated bycombining a plurality of identifier files, and each identifier fileincluded in the plurality of identifier files is associated with anapplication included in the plurality of applications.
 30. The computingdevice of claim 21, wherein the processor further executes the endpointmanagement application by: receiving, by the endpoint device, at leastone user credential via user input, wherein generating the signed andencrypted credential data packet further comprises, prior to encryptingthe credential data packet, including the at least one user credentialin the credential data packet.